Educause Security Discussion mailing list archives
REN-ISAC debrief on Wed 8/13 activities
From: Doug Pearson <dodpears () INDIANA EDU>
Date: Thu, 14 Aug 2003 08:30:29 -0500
REN-ISAC[1] Activities Wednesday, 8/13 ANML[2] performed an analysis of Abilene NetFlow data covering the period 0500-1400 GMT Wed 8/13 to identify the current top twenty AS sourcing port 135 scans to Abilene. Within that top twenty list, thirteen repeats from the 8/12 top twenty were seen. An e-mail was sent to the top sources, describing (1) that their AS was a top source, (2) worm traffic on Abilene is very high, (3) the REN-ISAC is characterizing worm activity via Abilene NetFlow statistics, (4) a pointer to mitigation techniques[3], (5) that filters need to be input AND output, and (6) a breakdown of activity sourced within the AS, by /21. The e-mails were sent to 9 Abilene Participant universities, and 3 Abilene-connected aggregates. 8 of the top twenty source AS where very large aggregates such as RIPE and APNIC. E-mails weren't sent to those aggregates because our process for working them is still in development. In the very interesting results category, we've received four replies from institutions stating that their networks are now corrected. Although not stated, it appeared the corrective actions were taken as a result of the REN-ISAC notices. Of the corrected sites, one site was the win and show source on Tues/Wed. Comment from one site illustrated the common, but incomplete, practice of applying only inbound filters, "We had the filters applied on the inbound, but not on the outbound." A graph, produced by ANML, of MS-RPC probe flows per second on Abilene is attached. The source NetFlow data is sampled at approximately a 1:100 ratio. Actual flow counts are therefore higher. The graph illustrates diminishing, although still very heavy, probe activity. Regards, Doug Pearson Acting Director, REN-ISAC Indiana University [1] http://www.ren-isac.net [2] http://www.anml.iu.edu/; The IU Advanced Network Management Lab [3] http://www.cert.org/advisories/CA-2003-20.html ---- Doug Pearson; Indiana University; dodpears () indiana edu Phone: 812-855-3846; Cell 812-325-3846; ViDeNet: 0018128553846 PGP: http://mypage.iu.edu/~dodpears/dodpears_pubkey.asc ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Attachment:
ms-rpc-graph.pdf
Description:
Current thread:
- REN-ISAC debrief on Wed 8/13 activities Doug Pearson (Aug 14)