Re: Broadcast DOS Attacks

[Tom Klimek <tklimek () ND EDU>]

We have had similar problems in the past with Synfloods, including
spoofing valid address within the subnet of the infected host. We
utilize snort IDS and also have a sniffer running on our border and our
infrastructure built to easily monitor any vlan by simply spanning the
appropriate vlan on a distribution switch. Also most of these attacks
are triggered by IRC so you may consider blocking as well.

I would suggest the use of anti-spoofing acl's on all subnets. This
would prevent the host from spoofing random addresses (It will not
prevent spoofing valid addresses on that subnet). A sniffer monitoring
outbound traffic on the border should quickly identify the top talker
and indicate the subnet leading to the appropriate vlan to monitor
(again top talker) yielding the mac address of the offender. At this
point block the offending host by mac address at the edge switch.

It's not an automated solution but you can quickly restore off-campus
access.


Access control lists prevent spoofing of non-valid addresses(Cisco):

interface VlanXX
 description Sample Interface
 ip address 172.16.58.250 255.255.255.0
 ip access-group vlanXX in

ip access-list extended vlanXX
 permit ip 172.16.58.0 0.255.255.255 any
 permit udp any any eq bootps
 deny   ip any any

Filter by mac address (Cisco)

Cat OS block
Set cam static filter xx-xx-xx-xx-xx-xx vlan
Cat OS clear
Clear cam xx-xx-xx-xx-xx-xx vlan

IOS
mac-address-table static xxxx.xxxx.xxxx VLAN xxx drop



Tom Klimek
Manager, Network Engineering
University of Notre Dame
204 Security Building
Notre Dame, IN 46556
(574) 631-8277
tklimek () nd edu



-----Original Message-----
From: The EDUCAUSE Security Discussion Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Ralph Fasano
Sent: Friday, October 15, 2004 11:42 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Broadcast DOS Attacks

Hi all... I'm new to this list so if this has been answered already I
apologize... BUT

Here goes...

For the past several weeks we have been the victim of several High
Broadcasts Attacks to our campus.  Our firewall gets inundated and
basically shuts down all other traffic both inbound and outbound,,, thus
appearing as if the network is down.. In fact that is what gets reported
to our help desk.  Sometimes these attacks last for 10 20 minutes...
other times several hours.

We have seen similar activity several times on our network.  A computer
starts scanning random(?) ip subnets creating tons of outbound traffic.
Our firewall translations tables fill up because the infected computer
appears to spoof its ip address and change it quite frequently.  The
virus description that comes closet to describing what we are seeing is
the IRC/Flood Virus (as named by Symantec), although I don't see any
mention of the ip spoofing.

Is anyone else experiencing these symptoms and what are you doing to
combat same????
After several hours of investigation, we have identified and picked up a
student computer to investigate whether the Windows Updates are current
and if our (campus license) Norton anti Virus is up to date.

In order to track down and eliminate the problem, we turn on access
control lists on our edge devices that block all traffic that is not
coming from a valid IP address for that particular segment of the
network.  This appears to work because every time we have come across
the problem the ip spoof is not a valid address for the building the
problematic traffic is coming from.


Does anyone have any automated tools that would help id and quarantine
any such computer?// The broadcast traffic is through the roof!!! :-(

thanks

Ralph Fasano
Associate VP Office Of Information Technology Rhode Island School of
Design rfasano () risd edu

**********
Participation and subscription information for this EDUCAUSE Discussion
Group discussion list can be found at http://www.educause.edu/groups/.

**********
Participation and subscription information for this EDUCAUSE Discussion
Group discussion list can be found at http://www.educause.edu/groups/.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/groups/.