argus-clients informal survey

Russell Fulton r.fulton at auckland.ac.nz
Thu Jun 21 19:08:44 EDT 2001


On Thu, 21 Jun 2001 19:43:35 -0300 Chris Newton <newton at unb.ca> wrote:

> Yes, this is the sort of solution I was imagining, however, I have seen cases 
> where the single direction concept (drop remote side, keep locals) wouldn't be 
> enough. 
> We have had a couple cases where a trojan got installed in some unix 
> lab run by a department that is less interested in security then mine is (the 
> main computing center).  That lab was on a student network, with a netmask of 
> 255.255.240.0.  The intersting thing about this trojan, is that it used this 
> netmask it found on the machines as a guide to determine the range of possible 
> addresses it could spoof on this network, and have them all be valid.  So, 
> boom, an outgoing attack from 'thousands' of machines on our student network, 
> aimed at some poor soul out there in the big merky internet, which our routers 
> gladly sent on their merry way, since they were all valid IP addresses, 
> routes, TTLs, ...

Ouch! we have been spared that so for.  Mind you with just a few Mbps 
of external bandwidth we are not a tempting target for this sort of 
thing.  There are some advantages to being at the far end of the earth 
;-)

> 
>   So, I think the highwater mark would need to work both ways...  maybe if a 
> count was added to each IP address that argus was tracking...
> 
>   So, if 131.202.160.212 local is being attacked, each new flow you create, 
> that is associated with that IP, increment the counter.   Reset that counter 
> each time you print a MAR record.  If in that interval of time of the MAR 
> records, the IP has more then xxx records associated with it... start adding 
> all info to a single flow record.  And, maybe in this record, keep a count of 
> the number of unique remote IP addresses you are including in this 
> aggregation.  Do this logic with both sides (remote, local), and I think argus 
> would be stable at these high packet count levels.

This sounds like a sensible approach.  Long term it would be nice to 
have this stuff configurable in the flow model file.

eg.
if source_flowcount > xxxx use model yyy
if dest_flowcount > zzzz use model aaa



Russell Fulton, Computer and Network Security Officer
The University of Auckland,  New Zealand



More information about the argus mailing list