[unisog] Tracking down network offenders

E. Larry Lidz ellidz at eridu.uchicago.edu
Wed Dec 19 16:23:38 GMT 2001

MVick at mail.uttyl.edu writes:
>     A complaint arrives that shows an exploit scan against an external IP
>address from an internal University address.  The internal University
>address turns out to be assigned to University housing.
>     I am interested in both policy and technology considerations.  I do
>realize that there are many policy and technology configurations at many
>different Universities.  Also, is it possible to PROVE that a particular
>computer or user was involved if the problem if not caught in real time?

When we get a complaint, we verify the network traffic in our network
logs (we use the flow data captured from a bunch of our routers and a
few of our switches). If it's not there (or is harmless, like Gnutella
traffic), we send a note back letting them know. If it appears to be
spoofed, we let the complainant know.

Over nine out of ten complaints we get that end up being for real
malicious traffic, it's pretty apparent that the machine was broken
into. In this case, we pull the machine from the network to prevent it
from continuing and contact the owner and let them know that they have a

If we believe that the user of the machine was the one responsible
for the attack, we send them off to the appropriate disciplinary
organization. For students, this is the Dean of Student's office. We
give them a detailed report of what went on and how confident we are
of our various data. We work closely with them to make sure that
they understand the issues and can enforce the University's policies


E. Larry Lidz                                        Phone: (773)702-2208
Sr. Network Security Officer                         Fax:   (773)834-8444
Network Security Center, The University of Chicago
PGP: http://security.uchicago.edu/centerinfo/pgpkeys.shtml

More information about the unisog mailing list