On Wed, 1 May 2002, Pete Kruckenberg wrote:
On Thu, 2 May 2002, Christopher L. Morrow wrote:
Funny, you say 'secured' here...
These are not zombies. They are secured, uncompromised Web servers. The attack spoofs the target address as the source, [snip] and here you say: "printers and routers" Since when did they need to be accessible off campus? Additionally, why does a router need a web interface?? Printers are on the cusp, but they certainly don't need to be accesible from out of your LAN.
More clarification needed. We are not a campus network. We are a state-wide research/education network, as in we are the service provider to the various K-12 and higher-ed institutions in the state (there is a network, not a purchasing cooperative like many other state "networks").
This does complicate things, what about adding in some security provisions to your 'contract' ?? Or providing managed firewall services? Or better yet, reselling managed firewall services to your customers? :) There are ways, most times it just comes down to people at the far end not knowing enough to protect themselves, or not having the man power to fix it :(
We are large in the sense that there are some 1,000 end sites (each comparable in size to a mid- to large-size enterprise) and a network that looks like many national networks, but condensed into a single state. We tend to design and operate our network, and experience problems similar to a national-scale network.
Like almost every other service provider, we do not have the luxury of simply putting a firewall at the border of our network, since we do not have the ability to enforce security policies any more than other service providers do. We also have the ability to suggest security policy and block hosts or networks that interfere with network operations, but it's not our business whether someone uses a Web interface to their printer or router any more than it's UUNet's business.
Agreed, which is why we have resale and managed firewall businesses, so the customer can say what their security policy should be.
We do have a fairly aggressive security group that identifies compromised machines and assists customers in properly securing them. We can be fairly certain that the way these hosts are responding to this DoS attack is not as a result of being compromised, but a "normal" IP stack implementation.
'normal' to something that really has no business being accessible ;( but I agree with your point.
As such, though we are a state education service provider, it seems that these kinds of attacks are most likely pervasive on all networks, and probably are going on all the time. One advantage we have is a close relationship with our customers, which allows us to use tools such as IDS and Netflow in conjunction with information about the customer implementation to identify what is a bonafide attack.