Re: Broadcast DOS Attacks

["Wood, Anne M (wood)" <wood () JUNIATA EDU>]

Hi Ralph,

Please see my responses below.

Thanks,
Anne 

-----Original Message-----
From: The EDUCAUSE Security Discussion Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Ralph Fasano
Sent: Friday, October 15, 2004 11:42 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Broadcast DOS Attacks

Hi all... I'm new to this list so if this has been answered already I
apologize... BUT

Here goes...

For the past several weeks we have been the victim of several High
Broadcasts Attacks to our campus.  Our firewall gets inundated and
basically shuts down all other traffic both inbound and outbound,,, thus
appearing as if the network is down.. In fact that is what gets reported
to our help desk.  Sometimes these attacks last for 10 20 minutes...
other times several hours.

We have seen similar activity several times on our network.  A computer
starts scanning random(?) ip subnets creating tons of outbound traffic.
Our firewall translations tables fill up because the infected computer
appears to spoof its ip address and change it quite frequently.  The
virus description that comes closet to describing what we are seeing is
the IRC/Flood Virus (as named by Symantec), although I don't see any
mention of the ip spoofing.

Is anyone else experiencing these symptoms and what are you doing to
combat same????
After several hours of investigation, we have identified and picked up a
student computer to investigate whether the Windows Updates are current
and if our (campus license) Norton anti Virus is up to date.

In order to track down and eliminate the problem, we turn on access
control lists on our edge devices that block all traffic that is not
coming from a valid IP address for that particular segment of the
network.  This appears to work because every time we have come across
the problem the ip spoof is not a valid address for the building the
problematic traffic is coming from.


Does anyone have any automated tools that would help id and quarantine
any such computer?// The broadcast traffic is through the roof!!! :-(

thanks

Ralph Fasano
Associate VP Office Of Information Technology Rhode Island School of
Design rfasano () risd edu

**********
Participation and subscription information for this EDUCAUSE Discussion
Group discussion list can be found at http://www.educause.edu/groups/.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/groups/.