[Dshield] Opinions on traffic volume

Johannes B. Ullrich jullrich at sans.org
Tue Oct 30 13:16:05 GMT 2007

Hash: RIPEMD160

> Last week I was contacted by the University's network people asking
> me if I knew about the huge amount of ICMP traffic going to one of
> our boxes.  I knew nothing and started hunting it down.

Good that they are watching.

> So I'm curious, do other people agree with us being concerned and us
> asking them to stop it or would you have continued to let them do
> what they were?

Yes. You should ask these questions. As a network administrator you
should always try to explain traffic on your network, even if it doesn't
rise to a problem (yet).

Now about this particular traffic: It all depends on what your
researchers are trying to do. If they participate in a research project
that requires this traffic, then by all means allow it. If they can do
without, then talk to them about getting rid of it. Fundamentally, the
network has to support the "business". In your case, the business
happens to be research. Now "support" does mean more then just open up
ports as needed. Once the port is open, support includes things like
mitigating any potential security issues arising from the open port.

I think I heard about this particular research project. By participating
in the distributed network you mentioned, your researchers may have
agreed to participate in the routing project as well. It always comes
down to the fine print ;-)

- --
Johannes Ullrich, SANS Institute, (www.sans.org)

Cyber Defense Initiative - Washington DC; 17 courses, Dec 11- 18
SANS Security 2008 - New Orleans, LA; 21 courses, Jan 11-19

Version: GnuPG v1.4.2.2 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org


More information about the list mailing list