security

15 October 2013 at 1:05pm
CSIRT's annual Security Birds of a Feather session at Networkshop. As usual this will be an opportunity for the free form discussion of security issues affecting your systems and Janet.
Anonymous
[1] Wikipedia - IP address spoofing: https://en.wikipedia.org/wiki/IP_address_spoofing [2] ZoneAlarm: http://www.zonelabs.com/ [3] Snort - the Lightweight Network Intrusion Detection System: http://www.snort.org/
Anonymous
In this particular incident, the initial tip-off led directly to the departmental network containing the compromised hosts. This information is not always so readily available, since IP spoofing can also be used to simulate traffic from machines on many different networks. Such a situation could be handled by repositioning the network monitor on the backbone (at M’ in the diagram, for example), and again examining the source MAC addresses of attack packets (but note that performance is likely to be a concern, with monitors dropping traffic at gigabit speeds).
Anonymous
We left the monitor in place for two days, until our log fi le began to grow rapidly indicating a new attack in progress. The following entries are typical of what was observed: [**] IDS253 - DDoS shaft synflood outgoing [**] 06/12-14:30:46.599036 8:0:20:1B:22:A9 -> 0:D0:D3:56:D1:30 type:0x800 len:0x3C 98.76.54.111:1008 -> 12.34.56.78:6666 TCP TTL:30 TOS:0x0 ID:59926 DF
Anonymous
Our monitor is a Linux system running the Snort lightweight intrusion detection system [3]. Demands on hardware are not very high: we use a redundant Pentium 133-based system with two 10/100Mbit/s network interface cards, 128MB memory and 4GB disk space. This allows us to use one interface to access the console, while the other is dedicated to the RSPAN traffic. It is configured with a minimum number of services running and no user accounts [4].
Anonymous
The university network is based on a Gigabit Ethernet backbone, linking together departmental Local Area Networks (LANs) which typically deliver switched 10/100Mbit/s to the desktop. The network is shown diagrammatically in Figure 1. Figure 1: Schematic of the university network
Anonymous
There’s little doubt that passwords are an inconvenience. Unfortunately they remain the most practical way for most of us to keep our on-line identities to ourselves. Without them, or if you don’t keep them secret, it would be far easier for someone else to masquerade as you, to read and modify any of your information and to take any action in your name.
Anonymous
PB/INFO/026 (10/05) Why passwords matter Every time we use a computer, a network or an electronic service we should have to prove who we are. This is important to ensure that we are entitled to use the particular service, and to give us access to our own personal information and settings.
Anonymous
GD/NOTE/001 (01/01) This paper has been contributed by a Janet customer site, and records their experiences in investigating a denial-of-service attack committed using hosts at their site. We are very grateful to them for allowing us to publish this information and hope that it will be useful to others.
Anonymous
Janet Policies All sites connecting to Janet are required to abide by three policies that set out the rules for access to, use and protection of the network. These policies are set by JISC, who fund the network. The latest versions of these policies can be found through the Janet web site. Janet Acceptable Use Policy: http://community.ja.net/library/acceptable-use-policy
Subscribe to security