[unisog] CHE 3/15: The Growing Vulnerability of Campus Networks

marchany at vt.edu marchany at vt.edu
Tue Mar 12 21:56:50 GMT 2002

>We find a large number of our compromises by investigating scans.
>Often we'll see a scan hit our network, and by looking at the network
>audit logs, we can see that the scanner also connected to a wierd port
>on a machine or two.

Absolutely. Scan logs tell us whether the attack is directed at a single 
target or a campus wide sweep. It helps us plan our defenses. The more 
important goal is to increase awareness on the part of departmental sysadmin. 
Once a dept sysadmin installs a monitor like IP filters or portsentry and sees 
the hits on their system, they start tightening up the system. The individual 
sysadmins send us their scan logs and we use that information to determine the 
extent of a probe/attack.

>I suspect the next step for us will be to send our reports to someone
>like DShield who will forward it on to the appropriate contact rather
>than doing it ourselves. Of course, often having the direct dialog with
>the other end is useful.

We do that already. Laurie Zirkle from here did her SANS practical on how to 
notify sites. Her paper is somewhere in the SANS site. We've been feeding 
incidents.org and intrusion.org for a couple of years now.

I was surprised to see the stats in the CHE article. With just under 15% of 
our total sysadmins sending me scan data, I have close to 7000 entries 
(multiple IP address/entry) since 8/1/01. Fortunately, a small fraction of 
these were successful. :-)

	-Randy Marchany
	VA Tech Computing Center
	Blacksburg, VA 24060
	marchany at vt.edu

More information about the unisog mailing list