[Micronet] Denial of Service Attack

classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

[Micronet] Denial of Service Attack

Lynne Grigsby
Have any of you experienced  a seemingly sophisticated denial of service attack?  If so, do you have any advice, solutions on how to handle?  The Library is currently experiencing one and are looking into solutions.   Any assistance/advice would be appreciated.
Lynne


 
-------------------------------------------------------------------------
The following was automatically added to this message by the list server:

To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:

http://micronet.berkeley.edu

Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.
Reply | Threaded
Open this post in threaded view
|

Re: [Micronet] Denial of Service Attack

Isaac Orr-2
"Contact your upstream provider" is often high on the list of things to
do.   I will be in touch.

iso




On 1/18/12 9:51 AM, Lynne Grigsby wrote:

> Have any of you experienced a seemingly sophisticated denial of service attack?
> If so, do you have any advice, solutions on how to handle? The Library is
> currently experiencing one and are looking into solutions. Any assistance/advice
> would be appreciated.
> Lynne
>
>
>
>
>
> -------------------------------------------------------------------------
> The following was automatically added to this message by the list server:
>
> To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:
>
> http://micronet.berkeley.edu
>
> Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.


 
-------------------------------------------------------------------------
The following was automatically added to this message by the list server:

To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:

http://micronet.berkeley.edu

Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.
Reply | Threaded
Open this post in threaded view
|

Re: [Micronet] Denial of Service Attack

Hari Hirani
In reply to this post by Lynne Grigsby
Lynne,

Is the attack originating internally or externally?

External attack - Get help from your service provider.
Internal attack - Let the local networking group find the isolate and secure the problem devices.

Hari

On Jan 18, 2012, at 9:51 AM, Lynne Grigsby wrote:

> Have any of you experienced  a seemingly sophisticated denial of service attack?  If so, do you have any advice, solutions on how to handle?  The Library is currently experiencing one and are looking into solutions.   Any assistance/advice would be appreciated.
> Lynne
>
>
> -------------------------------------------------------------------------
> The following was automatically added to this message by the list server:
>
> To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:
>
> http://micronet.berkeley.edu
>
> Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.


 
-------------------------------------------------------------------------
The following was automatically added to this message by the list server:

To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:

http://micronet.berkeley.edu

Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.
Reply | Threaded
Open this post in threaded view
|

Re: [Micronet] Denial of Service Attack

Michael Sinatra-3
I am surprised that SNS hasn't mentioned this, but:

Please remember that Micronet is a public, open, and publicly-archived
mailing list.  Discussing ongoing attacks here is probably not a good
idea.  Please move this to ucb-security@ or take it directly to
[hidden email].

michael


On 01/18/12 10:32, hari hirani wrote:

> Lynne,
>
> Is the attack originating internally or externally?
>
> External attack - Get help from your service provider.
> Internal attack - Let the local networking group find the isolate and secure the problem devices.
>
> Hari
>
> On Jan 18, 2012, at 9:51 AM, Lynne Grigsby wrote:
>
>> Have any of you experienced  a seemingly sophisticated denial of service attack?  If so, do you have any advice, solutions on how to handle?  The Library is currently experiencing one and are looking into solutions.   Any assistance/advice would be appreciated.
>> Lynne
>>
>>
>> -------------------------------------------------------------------------
>> The following was automatically added to this message by the list server:
>>
>> To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:
>>
>> http://micronet.berkeley.edu
>>
>> Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.
>
>
>
> -------------------------------------------------------------------------
> The following was automatically added to this message by the list server:
>
> To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:
>
> http://micronet.berkeley.edu
>
> Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.


 
-------------------------------------------------------------------------
The following was automatically added to this message by the list server:

To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:

http://micronet.berkeley.edu

Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.
Reply | Threaded
Open this post in threaded view
|

Re: [Micronet] Denial of Service Attack

ken lindahl
In reply to this post by Hari Hirani
Hari and Lynne,

the "service provider" for campus is in fact "the local networking group," namely Network Operations and Services (NOS) in IST Telecommunications.

however, in cases like this where an apparent DoS is causing problems for a campus host, System and Network Security (SNS), also in IST Telecommunications, takes the lead rather Telecommunications. NOS takes the lead when the issue is causing operational issues for the network itself.

SNS has the capability of blocking campus ("internal") and off-campus ("external") IP addresses that are sourcing attacks, *IF* that action is warranted and helpful (in many cases, this is not a helpful approach). NOS and SNS work closely, when circumstance call for it appropriate.

so, i believe SNS should be Lynne's primary contact in this case.

and, i completely agree with Michael Sinatra's reminder that micronet is wide open and any details of the attack should not be mentioned in micronet. fortunately, i don't think any detailed information about this particular incident has been announced here.

ken

On 1/18/2012 10:32 AM, hari hirani wrote:

> Lynne,
>
> Is the attack originating internally or externally?
>
> External attack - Get help from your service provider.
> Internal attack - Let the local networking group find the isolate and secure the problem devices.
>
> Hari
>
> On Jan 18, 2012, at 9:51 AM, Lynne Grigsby wrote:
>
>> Have any of you experienced  a seemingly sophisticated denial of service attack?  If so, do you have any advice, solutions on how to handle?  The Library is currently experiencing one and are looking into solutions.   Any assistance/advice would be appreciated.
>> Lynne
>>
>>
>> -------------------------------------------------------------------------
>> The following was automatically added to this message by the list server:
>>
>> To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:
>>
>> http://micronet.berkeley.edu
>>
>> Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.
>
>
>
> -------------------------------------------------------------------------
> The following was automatically added to this message by the list server:
>
> To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:
>
> http://micronet.berkeley.edu
>
> Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.

 
-------------------------------------------------------------------------
The following was automatically added to this message by the list server:

To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:

http://micronet.berkeley.edu

Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.
Reply | Threaded
Open this post in threaded view
|

Re: [Micronet] Denial of Service Attack

Lynne Grigsby
In reply to this post by Hari Hirani
external -- we did put it a ticket and were told to ban IPs -- unfortunately that is not feasible as they are changing IPs and we feel that anything that determines the IPs to block would also cause the system to be overwhelmed.
Lynne


On 1/18/2012 10:32 AM, hari hirani wrote:
Lynne,

Is the attack originating internally or externally?

External attack - Get help from your service provider. 
Internal attack - Let the local networking group find the isolate and secure the problem devices. 

Hari

On Jan 18, 2012, at 9:51 AM, Lynne Grigsby wrote:

Have any of you experienced  a seemingly sophisticated denial of service attack?  If so, do you have any advice, solutions on how to handle?  The Library is currently experiencing one and are looking into solutions.   Any assistance/advice would be appreciated.
Lynne


-------------------------------------------------------------------------
The following was automatically added to this message by the list server:

To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:

http://micronet.berkeley.edu

Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.

    

 
-------------------------------------------------------------------------
The following was automatically added to this message by the list server:

To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:

http://micronet.berkeley.edu

Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.
Reply | Threaded
Open this post in threaded view
|

Re: [Micronet] Denial of Service Attack

Lynne Grigsby
In reply to this post by Hari Hirani
Let me say I did put in a trouble ticket and wasn't offered more than
the advice for us to block by IP.  Writing to micronet seems to have
elevated our problem and may get us some help!
Lynne


On 1/18/2012 10:50 AM, ken lindahl wrote:

> Hari and Lynne,
>
> the "service provider" for campus is in fact "the local networking
> group," namely Network Operations and Services (NOS) in IST
> Telecommunications.
>
> however, in cases like this where an apparent DoS is causing problems
> for a campus host, System and Network Security (SNS), also in IST
> Telecommunications, takes the lead rather Telecommunications. NOS
> takes the lead when the issue is causing operational issues for the
> network itself.
>
> SNS has the capability of blocking campus ("internal") and off-campus
> ("external") IP addresses that are sourcing attacks, *IF* that action
> is warranted and helpful (in many cases, this is not a helpful
> approach). NOS and SNS work closely, when circumstance call for it
> appropriate.
>
> so, i believe SNS should be Lynne's primary contact in this case.
>
> and, i completely agree with Michael Sinatra's reminder that micronet
> is wide open and any details of the attack should not be mentioned in
> micronet. fortunately, i don't think any detailed information about
> this particular incident has been announced here.
>
> ken
>
> On 1/18/2012 10:32 AM, hari hirani wrote:
>> Lynne,
>>
>> Is the attack originating internally or externally?
>>
>> External attack - Get help from your service provider.
>> Internal attack - Let the local networking group find the isolate and
>> secure the problem devices.
>>
>> Hari
>>
>> On Jan 18, 2012, at 9:51 AM, Lynne Grigsby wrote:
>>
>>> Have any of you experienced  a seemingly sophisticated denial of
>>> service attack?  If so, do you have any advice, solutions on how to
>>> handle?  The Library is currently experiencing one and are looking
>>> into solutions.   Any assistance/advice would be appreciated.
>>> Lynne
>>>
>>>
>>> -------------------------------------------------------------------------
>>>
>>> The following was automatically added to this message by the list
>>> server:
>>>
>>> To learn more about Micronet, including how to subscribe to or
>>> unsubscribe from its mailing list and how to find out about upcoming
>>> meetings, please visit the Micronet Web site:
>>>
>>> http://micronet.berkeley.edu
>>>
>>> Messages you send to this mailing list are public and
>>> world-viewable, and the list's archives can be browsed and searched
>>> on the Internet.  This means these messages can be viewed by (among
>>> others) your bosses, prospective employers, and people who have
>>> known you in the past.
>>
>>
>>
>> -------------------------------------------------------------------------
>>
>> The following was automatically added to this message by the list
>> server:
>>
>> To learn more about Micronet, including how to subscribe to or
>> unsubscribe from its mailing list and how to find out about upcoming
>> meetings, please visit the Micronet Web site:
>>
>> http://micronet.berkeley.edu
>>
>> Messages you send to this mailing list are public and world-viewable,
>> and the list's archives can be browsed and searched on the Internet.  
>> This means these messages can be viewed by (among others) your
>> bosses, prospective employers, and people who have known you in the
>> past.

 
-------------------------------------------------------------------------
The following was automatically added to this message by the list server:

To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:

http://micronet.berkeley.edu

Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.
Reply | Threaded
Open this post in threaded view
|

Re: [Micronet] Denial of Service Attack

paul rivers
In reply to this post by Michael Sinatra-3

Yes, please.  Thank you for the campus reminder, Michael.
Paul


On 01/18/2012 10:36 AM, Michael Sinatra wrote:

> I am surprised that SNS hasn't mentioned this, but:
>
> Please remember that Micronet is a public, open, and publicly-archived
> mailing list.  Discussing ongoing attacks here is probably not a good
> idea.  Please move this to ucb-security@ or take it directly to
> [hidden email].
>
> michael
>
>
> On 01/18/12 10:32, hari hirani wrote:
>> Lynne,
>>
>> Is the attack originating internally or externally?
>>
>> External attack - Get help from your service provider.
>> Internal attack - Let the local networking group find the isolate and secure the problem devices.
>>
>> Hari
>>
>> On Jan 18, 2012, at 9:51 AM, Lynne Grigsby wrote:
>>
>>> Have any of you experienced  a seemingly sophisticated denial of service attack?  If so, do you have any advice, solutions on how to handle?  The Library is currently experiencing one and are looking into solutions.   Any assistance/advice would be appreciated.
>>> Lynne
>>>
>>>
>>> -------------------------------------------------------------------------
>>> The following was automatically added to this message by the list server:
>>>
>>> To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:
>>>
>>> http://micronet.berkeley.edu
>>>
>>> Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.
>>
>>
>>
>> -------------------------------------------------------------------------
>> The following was automatically added to this message by the list server:
>>
>> To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:
>>
>> http://micronet.berkeley.edu
>>
>> Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.
>
>
>  
> -------------------------------------------------------------------------
> The following was automatically added to this message by the list server:
>
> To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:
>
> http://micronet.berkeley.edu
>
> Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.


 
-------------------------------------------------------------------------
The following was automatically added to this message by the list server:

To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:

http://micronet.berkeley.edu

Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.
Reply | Threaded
Open this post in threaded view
|

Re: [Micronet] Denial of Service Attack

jives
In reply to this post by Lynne Grigsby
I am in a meeting at the moment, but I will try to respond to this on
ucb-security.

John


> <html>
>   <head>
>     <meta content="text/html; charset=ISO-8859-1"
>       http-equiv="Content-Type">
>   </head>
>   <body bgcolor="#FFFFFF" text="#000000">
>     external -- we did put it a ticket and were told to ban IPs --
>     unfortunately that is not feasible as they are changing IPs and we
>     feel that anything that determines the IPs to block would also cause
>     the system to be overwhelmed.<br>
>     Lynne<br>
>     <br>
>     <br>
>     On 1/18/2012 10:32 AM, hari hirani wrote:
>     <blockquote
>       cite="mid:[hidden email]"
>       type="cite">
>       <pre wrap="">Lynne,
>
> Is the attack originating internally or externally?
>
> External attack - Get help from your service provider.
> Internal attack - Let the local networking group find the isolate and
> secure the problem devices.
>
> Hari
>
> On Jan 18, 2012, at 9:51 AM, Lynne Grigsby wrote:
>
> </pre>
>       <blockquote type="cite">
>         <pre wrap="">Have any of you experienced  a seemingly
> sophisticated denial of service attack?  If so, do you have any
> advice, solutions on how to handle?  The Library is currently
> experiencing one and are looking into solutions.   Any
> assistance/advice would be appreciated.
> Lynne
>
>
> -------------------------------------------------------------------------
> The following was automatically added to this message by the list server:
>
> To learn more about Micronet, including how to subscribe to or unsubscribe
> from its mailing list and how to find out about upcoming meetings, please
> visit the Micronet Web site:
>
> <a class="moz-txt-link-freetext"
> href="http://micronet.berkeley.edu">http://micronet.berkeley.edu</a>
>
> Messages you send to this mailing list are public and world-viewable, and
> the list's archives can be browsed and searched on the Internet.  This
> means these messages can be viewed by (among others) your bosses,
> prospective employers, and people who have known you in the past.
> </pre>
>       </blockquote>
>       <pre wrap="">
> </pre>
>     </blockquote>
>   </body>
> </html>
>
>
> -------------------------------------------------------------------------
> The following was automatically added to this message by the list server:
>
> To learn more about Micronet, including how to subscribe to or unsubscribe
> from its mailing list and how to find out about upcoming meetings, please
> visit the Micronet Web site:
>
> http://micronet.berkeley.edu
>
> Messages you send to this mailing list are public and world-viewable, and
> the list's archives can be browsed and searched on the Internet.  This
> means these messages can be viewed by (among others) your bosses,
> prospective employers, and people who have known you in the past.
>


--
Number 3 of the The Twelve Networking Truths from RFC 1925
(http://www.faqs.org/rfcs/rfc1925.html):

With sufficient thrust, pigs fly just fine. However, this is not
necessarily a good idea. It is hard to be sure where they are going to
land, and it could be dangerous sitting under them as they fly overhead.


 
-------------------------------------------------------------------------
The following was automatically added to this message by the list server:

To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:

http://micronet.berkeley.edu

Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.