Educause Security Discussion mailing list archives

Re: Broadcast DOS Attacks

From: Mark Poepping <poepping () CMU EDU>
Date: Sat, 16 Oct 2004 11:25:33 -0400

Adding to the list of tools -- argus (www.qosient.com) is a free
software-based probe/reporting/collector/reporter that provides a much
richer flow model than netflow and can leverage port-replication from a
switch or router to produce the bi-directional flow information.  As a
software probe, it has benefits and shortcomings relative to netflow-export.
Many of the flowtools utilities understand arus data records and argus
reporting/analysis stuff can read netflow formats.
Mark.

-----Original Message-----
From: The EDUCAUSE Security Discussion Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Joe St Sauver
Sent: Friday, October 15, 2004 12:30 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Broadcast DOS Attacks

Hi Ralph,

#Does anyone have any automated tools that would help id and quarantine
#any such computer?// The broadcast traffic is through the roof!!! :-(

Just to make sure I understand what you're seeing, the problematic traffic
you're seeing is internal (local, from your users' hosts), rather than
external in origin, correct?

Are you currently doing Netflow for your network? If not, you might want
to ask your staff to check out http://www.splintered.net/sw/flow-tools/
-- hot hosts should be pretty easy to routinely spot, or you might want
to also investigate Snort ( http://www.snort.org/ ) or Bro
( http://www.icir.org/vern/bro-info.html ) for some automated tools.

Another step that may be quite helpful (you may already be doing this)
would be to scan your own hosts for vulnerabilities using a tool such as
Nessus (see: http://www.nessus.org/ ).

I tend NOT to be a fan of sandbox-based quarantine systems simply because
in many cases the remediation process exceeds the ability of novice users
to execute, and it is often easy to get what I'd call "symptomatic relief"
but not a "full cure." (The bad news is that we're creeping increasingly
close to the day when nuke-and-pave (full re-installation following a
compromise) will be the only realistic option, particularly when a given
host may be multiply compromised)

Regards,

Joe St Sauver (joe () oregon uoregon edu)
University of Oregon Computing Center

**********
Participation and subscription information for this EDUCAUSE Discussion
Group discussion list can be found at http://www.educause.edu/groups/.


**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/groups/.

Current thread:

Broadcast DOS Attacks Ralph Fasano (Oct 15)
- <Possible follow-ups>
- Re: Broadcast DOS Attacks Joe St Sauver (Oct 15)
- Re: Broadcast DOS Attacks Joel Rosenblatt (Oct 15)
- Re: Broadcast DOS Attacks Wood, Anne M (wood) (Oct 15)
- Re: Broadcast DOS Attacks Tom Klimek (Oct 15)
- Re: Broadcast DOS Attacks Mark Poepping (Oct 16)