Todd Heberlein intended to give a demonstration, but there were technical problems and time constraints. Todd intends to do the demonstration next week (November 13th). He gave a brief discussion below.
Simple Attacks: IP addresses going in/out are the same
TCP Layer SIN-FLAG set up LAND attack
ID Tag with Session
Data from packet stream or expression matching
Keep track of FTP commands, Login names
Keep track of IP address connections
Check if ports/addressing going to a vertical sweep or attack on lots of machines
Hundreds of connections per minutes:A web crawler like Lycos reindexes web pages and makes hundreds of connections/minute, but it could also be an attack.
How Connection is Terminated
SINFLOOD attackSIN packet goes outPacket Fragmentation SIN pack is sent in multiple fragments difficult to detect
SINAK packet - attack
Try to Characterize Failure States
No attempt to respond? Set a filter or set up a firewall.
UCD doesnt block anything. IP addresses in the lab have to be changed by December 31st, because they are going to turn off all routers that are not YK-2 compliant. They want to bring them under the ATM Umbrella.
Discussion about giving money to IT, when the Security Lab manages their own computer labs. One idea was to put all the undergraduates in IT labs and keep the computer labs for upper division classes/students only.
Another idea was to require all undergraduates to buy their own machines.
Virginia Tech was cited as the first campus to require student to buy machines
in 1984. There was disagreement over this issue financial burden
to student, software requirements, ability to run standard compiler.