Library items tagged: technical guide

Anonymous
Information and Guidelines on Logfiles LINX Best Current Practice – Traceability: https://www.linx.net/good/bcp/traceability-bcp-v1_0.html Information Commissioner’s Employee Monitoring code: http://www.ico.gov.uk/upload/documents/library/data_protection/detailed_specialist_guides/employment_practices_code.pdf
Anonymous
[1] Microsoft TechNet - Source Address Spoofing: http://www.microsoft.com/technet/security/sourcead.asp [2] ZoneAlarm: http://www.zonelabs.com/ [3] Snort - the Lightweight Network Intrusion Detection System: http://www.snort.org/ [4] Armoring Linux: http://www.spitzner.net/linux.html
Anonymous
In this particular incident, the initial tip-off led directly to the departmental network containing the compromised hosts. This information is not always so readily available, since IP spoofing can also be used to simulate traffic from machines on many different networks. Such a situation could be handled by repositioning the network monitor on the backbone (at M’ in the diagram, for example), and again examining the source MAC addresses of attack packets (but note that performance is likely to be a concern, with monitors dropping traffic at gigabit speeds).
Anonymous
We left the monitor in place for two days, until our log fi le began to grow rapidly indicating a new attack in progress. The following entries are typical of what was observed: [**] IDS253 - DDoS shaft synflood outgoing [**] 06/12-14:30:46.599036 8:0:20:1B:22:A9 -> 0:D0:D3:56:D1:30 type:0x800 len:0x3C 98.76.54.111:1008 -> 12.34.56.78:6666 TCP TTL:30 TOS:0x0 ID:59926 DF
Anonymous
Our monitor is a Linux system running the Snort lightweight intrusion detection system [3]. Demands on hardware are not very high: we use a redundant Pentium 133-based system with two 10/100Mbit/s network interface cards, 128MB memory and 4GB disk space. This allows us to use one interface to access the console, while the other is dedicated to the RSPAN traffic. It is configured with a minimum number of services running and no user accounts [4].
Anonymous
The university network is based on a Gigabit Ethernet backbone, linking together departmental Local Area Networks (LANs) which typically deliver switched 10/100Mbit/s to the desktop. The network is shown diagrammatically in Figure 1. Figure 1: Schematic of the university network
Anonymous
GD/NOTE/001 (01/01) This paper has been contributed by a Janet customer site, and records their experiences in investigating a denial-of-service attack committed using hosts at their site. We are very grateful to them for allowing us to publish this information and hope that it will be useful to others.
Anonymous
B1. JANET QoS Development Project Documentation [KentP2]  JANET QoS Project Phase 2, ‘Kent and Manchester University Deliverable’, http://www.webarchive.ja.net/development/qos/documents/KMLQoSreportfinal.pdf. [LANCP2]  JANET QoS Project Phase 2, ‘Lancaster University / CLEO Trials’, http://www.ja.net/documents/development/QoSReport-LancasterPhase2v2.0.pdf.
Anonymous
A1. CISCO IP-SLA Monitoring Probe Configuration Example Cisco® IP-SLA Probe Command Line Configuration used on JANET Monitoring probes at sites are configured with the Cisco® IOS command: ! tr responder ! This enables the IP-SLA process, allowing the router to receive, process, and return probes back to the CMP. For IOS version 12.4 this command became ‘ip sla monitor responder’ and the related commands changed also.