Library items tagged: technical guide

References

Anonymous
Thursday, February 16, 2012 - 07:36
logfiles
logging
references
technical guide
Information and Guidelines on Logfiles LINX Best Current Practice – Traceability: https://www.linx.net/good/bcp/traceability-bcp-v1_0.html Information Commissioner’s Employee Monitoring code: http://www.ico.gov.uk/upload/documents/library/data_protection/detailed_specialist_guides/employment_practices_code.pdf
Read more

References

Anonymous
Sunday, February 19, 2012 - 17:58
security
CSIRT
DDOS
denial of service
technical guide
[1] Wikipedia - IP address spoofing: https://en.wikipedia.org/wiki/IP_address_spoofing [2] ZoneAlarm: http://www.zonelabs.com/ [3] Snort - the Lightweight Network Intrusion Detection System: http://www.snort.org/
Read more

Aftermath

Anonymous
Sunday, February 19, 2012 - 17:58
security
CSIRT
DDOS
denial of service
investigating
technical guide
In this particular incident, the initial tip-off led directly to the departmental network containing the compromised hosts. This information is not always so readily available, since IP spoofing can also be used to simulate traffic from machines on many different networks. Such a situation could be handled by repositioning the network monitor on the backbone (at M’ in the diagram, for example), and again examining the source MAC addresses of attack packets (but note that performance is likely to be a concern, with monitors dropping traffic at gigabit speeds).
Read more

What we saw

Anonymous
Sunday, February 19, 2012 - 17:57
security
CSIRT
DDOS
denial of service
investigation
technical guide
We left the monitor in place for two days, until our log fi le began to grow rapidly indicating a new attack in progress. The following entries are typical of what was observed: [**] IDS253 - DDoS shaft synflood outgoing [**] 06/12-14:30:46.599036 8:0:20:1B:22:A9 -> 0:D0:D3:56:D1:30 type:0x800 len:0x3C 98.76.54.111:1008 -> 12.34.56.78:6666 TCP TTL:30 TOS:0x0 ID:59926 DF
Read more

The network monitor

Anonymous
Sunday, February 19, 2012 - 17:57
security
CSIRT
DDOS
denial of service
investigating
technical guide
Our monitor is a Linux system running the Snort lightweight intrusion detection system [3]. Demands on hardware are not very high: we use a redundant Pentium 133-based system with two 10/100Mbit/s network interface cards, 128MB memory and 4GB disk space. This allows us to use one interface to access the console, while the other is dedicated to the RSPAN traffic. It is configured with a minimum number of services running and no user accounts [4].
Read more

Network infrastructure

Anonymous
Sunday, February 19, 2012 - 17:57
security
CSIRT
DDOS
denial of service
investigating
technical guide
The university network is based on a Gigabit Ethernet backbone, linking together departmental Local Area Networks (LANs) which typically deliver switched 10/100Mbit/s to the desktop. The network is shown diagrammatically in Figure 1. Figure 1: Schematic of the university network
Read more

Investigating a Denial of Service attack

Anonymous
Friday, February 17, 2012 - 15:29
DDOS
denial of service
investigation
security
technical guide
GD/NOTE/001 (01/01) This paper has been contributed by a Janet customer site, and records their experiences in investigating a denial-of-service attack committed using hosts at their site. We are very grateful to them for allowing us to publish this information and hope that it will be useful to others.
Read more

Appendix B. Bibliography

Anonymous
Friday, February 17, 2012 - 13:46
QoS
technical guide
network set-up
bibliography
B1. JANET QoS Development Project Documentation [KentP2]  JANET QoS Project Phase 2, ‘Kent and Manchester University Deliverable’, http://www.webarchive.ja.net/development/qos/documents/KMLQoSreportfinal.pdf. [LANCP2]  JANET QoS Project Phase 2, ‘Lancaster University / CLEO Trials’, http://www.ja.net/documents/development/QoSReport-LancasterPhase2v2.0.pdf.
Read more

Appendix A. Configuration examples

Anonymous
Friday, February 17, 2012 - 13:36
QoS
technical guide
network set-up
configuration
A1. CISCO IP-SLA Monitoring Probe Configuration Example Cisco® IP-SLA Probe Command Line Configuration used on JANET Monitoring probes at sites are configured with the Cisco® IOS command: ! tr responder ! This enables the IP-SLA process, allowing the router to receive, process, and return probes back to the CMP. For IOS version 12.4 this command became ‘ip sla monitor responder’ and the related commands changed also.
Read more