Educause Security Discussion mailing list archives
Re: Broadcast DOS Attacks
From: "Wood, Anne M (wood)" <wood () JUNIATA EDU>
Date: Fri, 15 Oct 2004 14:06:03 -0400
Hi Ralph, Please see my responses below. Thanks, Anne -----Original Message----- From: The EDUCAUSE Security Discussion Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Ralph Fasano Sent: Friday, October 15, 2004 11:42 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Broadcast DOS Attacks Hi all... I'm new to this list so if this has been answered already I apologize... BUT Here goes... For the past several weeks we have been the victim of several High Broadcasts Attacks to our campus. Our firewall gets inundated and basically shuts down all other traffic both inbound and outbound,,, thus appearing as if the network is down.. In fact that is what gets reported to our help desk. Sometimes these attacks last for 10 20 minutes... other times several hours. We have seen similar activity several times on our network. A computer starts scanning random(?) ip subnets creating tons of outbound traffic. Our firewall translations tables fill up because the infected computer appears to spoof its ip address and change it quite frequently. The virus description that comes closet to describing what we are seeing is the IRC/Flood Virus (as named by Symantec), although I don't see any mention of the ip spoofing. Is anyone else experiencing these symptoms and what are you doing to combat same???? After several hours of investigation, we have identified and picked up a student computer to investigate whether the Windows Updates are current and if our (campus license) Norton anti Virus is up to date. In order to track down and eliminate the problem, we turn on access control lists on our edge devices that block all traffic that is not coming from a valid IP address for that particular segment of the network. This appears to work because every time we have come across the problem the ip spoof is not a valid address for the building the problematic traffic is coming from. Does anyone have any automated tools that would help id and quarantine any such computer?// The broadcast traffic is through the roof!!! :-( thanks Ralph Fasano Associate VP Office Of Information Technology Rhode Island School of Design rfasano () risd edu ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/.
Current thread:
- Broadcast DOS Attacks Ralph Fasano (Oct 15)
- <Possible follow-ups>
- Re: Broadcast DOS Attacks Joe St Sauver (Oct 15)
- Re: Broadcast DOS Attacks Joel Rosenblatt (Oct 15)
- Re: Broadcast DOS Attacks Wood, Anne M (wood) (Oct 15)
- Re: Broadcast DOS Attacks Tom Klimek (Oct 15)
- Re: Broadcast DOS Attacks Mark Poepping (Oct 16)