Educause Security Discussion mailing list archives
Re: Broadcast DOS Attacks
From: Mark Poepping <poepping () CMU EDU>
Date: Sat, 16 Oct 2004 11:25:33 -0400
Adding to the list of tools -- argus (www.qosient.com) is a free software-based probe/reporting/collector/reporter that provides a much richer flow model than netflow and can leverage port-replication from a switch or router to produce the bi-directional flow information. As a software probe, it has benefits and shortcomings relative to netflow-export. Many of the flowtools utilities understand arus data records and argus reporting/analysis stuff can read netflow formats. Mark.
-----Original Message----- From: The EDUCAUSE Security Discussion Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Joe St Sauver Sent: Friday, October 15, 2004 12:30 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Broadcast DOS Attacks Hi Ralph, #Does anyone have any automated tools that would help id and quarantine #any such computer?// The broadcast traffic is through the roof!!! :-( Just to make sure I understand what you're seeing, the problematic traffic you're seeing is internal (local, from your users' hosts), rather than external in origin, correct? Are you currently doing Netflow for your network? If not, you might want to ask your staff to check out http://www.splintered.net/sw/flow-tools/ -- hot hosts should be pretty easy to routinely spot, or you might want to also investigate Snort ( http://www.snort.org/ ) or Bro ( http://www.icir.org/vern/bro-info.html ) for some automated tools. Another step that may be quite helpful (you may already be doing this) would be to scan your own hosts for vulnerabilities using a tool such as Nessus (see: http://www.nessus.org/ ). I tend NOT to be a fan of sandbox-based quarantine systems simply because in many cases the remediation process exceeds the ability of novice users to execute, and it is often easy to get what I'd call "symptomatic relief" but not a "full cure." (The bad news is that we're creeping increasingly close to the day when nuke-and-pave (full re-installation following a compromise) will be the only realistic option, particularly when a given host may be multiply compromised) Regards, Joe St Sauver (joe () oregon uoregon edu) University of Oregon Computing Center ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/.
********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/.
Current thread:
- Broadcast DOS Attacks Ralph Fasano (Oct 15)
- <Possible follow-ups>
- Re: Broadcast DOS Attacks Joe St Sauver (Oct 15)
- Re: Broadcast DOS Attacks Joel Rosenblatt (Oct 15)
- Re: Broadcast DOS Attacks Wood, Anne M (wood) (Oct 15)
- Re: Broadcast DOS Attacks Tom Klimek (Oct 15)
- Re: Broadcast DOS Attacks Mark Poepping (Oct 16)