Argus Flow reversal with ECRs ?? (fwd)

Peter Van Epp vanepp at
Wed Feb 16 00:39:31 EST 2000

	I expect that antispoof filters on the border (to prevent source 
address spoofing so the attacked site knows where it came from and will 
hopefully complain) and as you say a statistical approach looking for odd 
traffic (although the defininition of odd on a University net is going to 
be difficult :-) ) are the only choices. I've been suprised at the lack of 
scans for clients that I've seen on our net. The ECR filter did turn up that
we had lost the x.x.x.0 access list in the border router when someone was using
one of our nets to flood someone else (the replys were of course sourced from
the various hosts on the net and flagged as ECR because the ping was to the 
0 address). 
	If the attacker is willing to use enough different systems it is going 
to be hard to pull an attack out of the base noise level (i.e. the amount of 
traffic coming out of our net to a specific site won't be suspiciously large). 
I expect a scan for multiple different systems on site all going to the same 
external address with odd data might be cause for suspicion but as you say an 
ftp control channel or ICQ wouldn't be all that suspicous.

Peter Van Epp / Operations and Technical Support 
Simon Fraser University, Burnaby, B.C. Canada

> Is anyone else pondering how to detect communication between master and 
> slave for these ddos systems using Argus?  Systems like TFN2K which 
> hide content by encryption, use random ports, and random padding to 
> aid concelment It seems to me that the only way to detect traffic is by 
> establishing baseline profile for local systems and then looking for 
> changes.  In an enviroment like ours (with 1000s of uncontrolled hosts) 
> this is impractical.  
> These system are evolving quite quickly and I suspect that we will soon 
> see versions that deliberately mimic traffic patterns of existing 
> services (ICQ or ftp control would be a good canidates) so that one 
> can't use statistical methods either.
> Russell Fulton,  The University of Auckland.  New Zealand.

More information about the argus mailing list