Educause Security Discussion mailing list archives
Re: Broadcast DOS Attacks
From: Tom Klimek <tklimek () ND EDU>
Date: Fri, 15 Oct 2004 16:15:15 -0500
We have had similar problems in the past with Synfloods, including spoofing valid address within the subnet of the infected host. We utilize snort IDS and also have a sniffer running on our border and our infrastructure built to easily monitor any vlan by simply spanning the appropriate vlan on a distribution switch. Also most of these attacks are triggered by IRC so you may consider blocking as well. I would suggest the use of anti-spoofing acl's on all subnets. This would prevent the host from spoofing random addresses (It will not prevent spoofing valid addresses on that subnet). A sniffer monitoring outbound traffic on the border should quickly identify the top talker and indicate the subnet leading to the appropriate vlan to monitor (again top talker) yielding the mac address of the offender. At this point block the offending host by mac address at the edge switch. It's not an automated solution but you can quickly restore off-campus access. Access control lists prevent spoofing of non-valid addresses(Cisco): interface VlanXX description Sample Interface ip address 172.16.58.250 255.255.255.0 ip access-group vlanXX in ip access-list extended vlanXX permit ip 172.16.58.0 0.255.255.255 any permit udp any any eq bootps deny ip any any Filter by mac address (Cisco) Cat OS block Set cam static filter xx-xx-xx-xx-xx-xx vlan Cat OS clear Clear cam xx-xx-xx-xx-xx-xx vlan IOS mac-address-table static xxxx.xxxx.xxxx VLAN xxx drop Tom Klimek Manager, Network Engineering University of Notre Dame 204 Security Building Notre Dame, IN 46556 (574) 631-8277 tklimek () nd edu -----Original Message----- From: The EDUCAUSE Security Discussion Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Ralph Fasano Sent: Friday, October 15, 2004 11:42 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Broadcast DOS Attacks Hi all... I'm new to this list so if this has been answered already I apologize... BUT Here goes... For the past several weeks we have been the victim of several High Broadcasts Attacks to our campus. Our firewall gets inundated and basically shuts down all other traffic both inbound and outbound,,, thus appearing as if the network is down.. In fact that is what gets reported to our help desk. Sometimes these attacks last for 10 20 minutes... other times several hours. We have seen similar activity several times on our network. A computer starts scanning random(?) ip subnets creating tons of outbound traffic. Our firewall translations tables fill up because the infected computer appears to spoof its ip address and change it quite frequently. The virus description that comes closet to describing what we are seeing is the IRC/Flood Virus (as named by Symantec), although I don't see any mention of the ip spoofing. Is anyone else experiencing these symptoms and what are you doing to combat same???? After several hours of investigation, we have identified and picked up a student computer to investigate whether the Windows Updates are current and if our (campus license) Norton anti Virus is up to date. In order to track down and eliminate the problem, we turn on access control lists on our edge devices that block all traffic that is not coming from a valid IP address for that particular segment of the network. This appears to work because every time we have come across the problem the ip spoof is not a valid address for the building the problematic traffic is coming from. Does anyone have any automated tools that would help id and quarantine any such computer?// The broadcast traffic is through the roof!!! :-( thanks Ralph Fasano Associate VP Office Of Information Technology Rhode Island School of Design rfasano () risd edu ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/.
Current thread:
- Broadcast DOS Attacks Ralph Fasano (Oct 15)
- <Possible follow-ups>
- Re: Broadcast DOS Attacks Joe St Sauver (Oct 15)
- Re: Broadcast DOS Attacks Joel Rosenblatt (Oct 15)
- Re: Broadcast DOS Attacks Wood, Anne M (wood) (Oct 15)
- Re: Broadcast DOS Attacks Tom Klimek (Oct 15)
- Re: Broadcast DOS Attacks Mark Poepping (Oct 16)