Friday, November 6, 1998
Security Lab II (2244 Eng II)

Todd Heberlein intended to give a demonstration, but there were technical problems and time constraints.  Todd intends to do the demonstration next week (November 13th).  He gave a brief discussion below.


Simple Attacks:  IP addresses going in/out are the same

TCP Layer – SIN-FLAG set up – LAND attack

 ID Tag with  Session
 Data from packet – stream or expression matching
 Keep track of FTP commands, Login names
 Keep track of IP address connections
 Check if ports/addressing going to a vertical sweep or attack on lots of machines
 Hundreds of connections per minutes:
A web crawler like Lycos reindexes web pages and makes hundreds of connections/minute, but it could also be an attack.

How Connection is Terminated

 SINFLOOD attack
 SIN packet goes out
 SINAK packet - attack
 RESET Packet
 Packet Fragmentation – SIN pack is sent in multiple fragments – difficult to detect

Try to Characterize Failure States
No attempt to respond?  Set a filter or set up a firewall.

UCD doesn’t block anything.  IP addresses in the lab have to be changed by December 31st, because they are going to turn off all routers that are not YK-2 compliant.  They want to bring them under the ATM Umbrella.

Discussion about giving money to IT, when the Security Lab manages their own computer labs.  One idea was to put all the undergraduates in IT labs and keep the computer labs for upper division classes/students only.

Another idea was to require all undergraduates to buy their own machines.  Virginia Tech was cited as the first campus to require student to buy machines in 1984.  There was disagreement over this issue – financial burden to student, software requirements, ability to run standard compiler.