[unisog] CHE 3/15: The Growing Vulnerability ofCampus Networks

Peter Van Epp vanepp at sfu.ca
Mon Mar 11 20:46:46 GMT 2002

> Paul Schmehl wrote:
> > I found it discouraging.  They make it sound like we are
> > populated by technical dummies who have no hope of
> > understanding security.  I think there's no question that
> > we have a problem we need to deal with, but that's a long
> > way from saying we're incompetent or don't care.
> And we have be doing a lot in recent years to work on the problem,
> both on our individual networks and as a group -- though we can do more.

	As always I'd point out that while that applies to the people on this
list, we aren't the entirety (or even I suspect the majority) of the 
educational sites. I know a lot in my local area that care a lot less about
security than we do. Just being on this list argues that you are competent 
and care ...

> > We've had this argument before here, and I still maintain
> > that colleges and universities are not nearly as big a
> > problem as "home" networks (large DSL pools of completed
> > unprotected machines.)
> Quite true.  And I would add that many small ISPs and web hosting
> companies are hardly well protected IMHO.  I see probes and attacks
> coming from commercial web servers, ISPs and other countries all the time.

	We are still seeing over 500K unsuccessful code red probes a day from a 
variety of sites, (a large Eastern Canadian telco/ISP for instance) inbound
from the net. This indeed argues there is a serious problem in ISP / ADSL /
Cable land with security. Same with viruses we are running neck and neck from
on campus infections and people's home machines on cable/adsl. This makes
bringing up a Windows box on campus exciting, since you are likely to be 
compromised before you can boot and install the patches over the net ...

> I think that the same misperception holds w.r.t. Higher Ed nets and P2P
> file stealing (oops, I meant file sharing...) applications.  Sometimes
> I think that P2P apps (Kazaa, Morpheus, AudioGalaxy) are a major (if not
> the main) reason for the existence of a market for high speed Internet
> access in the home.

	Probably correct. Although I'm suprises at how low our level is. We 
are evaling a packeteer and it is reporting at most a couple of % utilization
for the file sharing programs (http would be the protocol to hit for reductions,
its over %60 of the traffic). I suppose I shouldn't be suprised because (other
than breakins) argus indicates much the same thing, file server traffic is 
low enough to not be profitable chasing (or more correctly ones that are 
worth chasing have previously been chased :-)). 

> However, we (Universities) are an easier target for people to complain
> about than amorphous and diluted groups of high speed DSL/cable users.
> And I would venture to say that some Universities are likely easier
> targets for cr/hackers looking for vulnerable NT/W2K and Unix/Linux
> hosts to compromise and take over.  In particular I'd say that our IP
> networks may be more concentrated "target-rich" environments for someone
> looking for these platforms.

	In our case, we look to be famous for having high speed links to the 
net. Once one of our machines gets compromised most of the world piles on 
and drives the data rate through the roof (current record is 65 gigs in 24
hours on a PC up from 32 Gigs in 24 hours from a large SGI). This of course
pretty quickly gets caught as argus coughs out the traffic totals, but thats
a lot better bang for your breakin (although you get found and shut off faster)
than breaking in to a cable modem with only a couple of megs of bandwith
avialable. I expect other sites with fast links (and without argus or a 
packeteer) are an even better investment if the attacker gets some days of 
fast transfer before getting shut down. 

Peter Van Epp / Operations and Technical Support 
Simon Fraser University, Burnaby, B.C. Canada

More information about the unisog mailing list