[unisog] Tracking down network offenders
Peter Van Epp
vanepp at sfu.ca
Wed Dec 19 18:11:48 GMT 2001
> I am interested how Universities track down and respond to network
> complaints from outside the University. For example:
By and large we react about the same as Larry just described.
> A complaint arrives that shows an exploit scan against an external IP
> address from an internal University address. The internal University
> address turns out to be assigned to University housing.
My first stop is the argus logs that are recording everything in and
out of our Internet link. That gives me local time (in the case of things like
terminal servers that have different users at different times) and what really
went on. Sometimes what went on is harmless (aborted FTP sessions that the
user's firewall complained about, Gnuella et.al. requests to the remote host).
Sometimes they are more serious like port scans. In this case it will usually
be obvious looking back in the log if it is a breakin (in which case the
nachine is removed from the net til fixed) or apparantly user initiated which
goes to management for policy action.
Policy here can be informal (i.e. if both the offender and the
Computing Center director can come to an informal resolution it gets left there
with no "on the record" result at this time although a record is kept in case
of future problems. In more serious cases (or if the user chooses to not
participate in the informal process) the matter gets forwarded to the Dean
of Student Services or the VP Admin in the rare case of it not being a student
for formal action which is on the record. Most cases get resolved informally
since that is usually to everyones advantage. There have been a case or two that
were deemed to serious and went formal because the Director declined to do it
informally. This seems to work well for us.
> I am interested in both policy and technology considerations. I do
> realize that there are many policy and technology configurations at many
> different Universities. Also, is it possible to PROVE that a particular
> computer or user was involved if the problem if not caught in real time?
I don't see how you could prove anything without some logs. Even with
logs things like IP spoofing need to be taken in to account (and/or the
instrumentation set up to make that difficult or impossibly unlikely). It also
to some extent depends on what you are doing. A criminal conviction takes a
lot better grade of evidence than internal University discipline (although, at
least here, internal can and has been challanged in court so we need to have
sufficient evidence to prove "natural justice" has been served if challanged).
Peter Van Epp / Operations and Technical Support
Simon Fraser University, Burnaby, B.C. Canada
More information about the unisog