4

I am admin of a small network. Users in our network have access to internet through a squid NAT server.

Recently, we have detected that some users are using LOIC to attack servers on the internet. How can I detect and block such attacker automatically?

Is there any straightforward way for this (e.g. blocking an especial port or pattern?) Or I have to use a intelligent software that detects misbehavior of our users and blocks them?

A temporary IP-based blocking is sufficient for us.

Isaac
  • 581
  • 1
  • 12
  • 25
  • 1
    Why? You saw it now. Fire him! It will not reoccur. – mailq Oct 21 '11 at 16:28
  • possible duplicate of [What should I do about this user?](http://serverfault.com/questions/323706/what-should-i-do-about-this-user) – MikeyB Oct 21 '11 at 17:23
  • Unplug their PCs from the switch. Let both your and their supervisors know that they're running hacking software on their PCs and could get you into a ton of hot water. – afrazier Oct 21 '11 at 17:48
  • @mailq: Thanks for the anarchist short comment, but: Users are anonymous on the network. IPs are assigned through a DHCP server. Establishing an authentication policy for our network is not currently possible. Blocking them temporary and automatically is enough for us. – Isaac Oct 21 '11 at 17:52
  • @Isaac Anonymous access must be forbidden. Dependent on where you live it can involve bizarre legal issues if you can't track down the offending user. And if it is not trackable then the network owner will be held responsible. Can you cope with that? I won't. And (outside) blocking is like closing the eyes while bad things happen. – mailq Oct 21 '11 at 19:02

1 Answers1

4

mailq's comment isn't so much anarchist as it is the Right Answer for Most Cases.

If users are using corporate (or school, etc) resources to perform illegal activity (whether it is on the Internet or not), appropriate measures should be taken to let them know that this is completely unacceptable.

Nobody should be anonymous on your network, you should be able to easily track it down to a specific computer (DHCP lease) and most likely a specific user.

Given all that, The Spiderlabs Blog has an article on snort rules to detect LOIC activity. Implementing snort may be your best option if you really can't address the problem through education or a LART.

Ben's comment brings up a whole 'nother can of worms. Consider:

  1. Does this expose the network owner to liability if illegal activities are conducted?
  2. How open do things really need to be? Can you open HTTP/HTTPS-only? Can you rate-limit?
  3. On a large network (such as a hospital) you may be better off with a commercial hardware IDS/firewall.
MikeyB
  • 38,725
  • 10
  • 102
  • 186
  • 2
    say that to hospital administrators when the C-level has declared the network open because of the academic-side of the shop and the public needs access. your answer is 'perfect world / perfect network' which doesn't exist. – Ben Campbell Oct 21 '11 at 18:14
  • @Ben-SysAdminCircus: Fair enough, actually… – MikeyB Oct 21 '11 at 18:45
  • question #1 is EXACTLY how I used to get through to administrators. It was their reaction to my suggestion that we "run this past the lawyers". That's a sure-fire way to get attention. – Ben Campbell Oct 21 '11 at 19:03
  • We have clients in our facility that we provide internet connections for. Since they are generally professionals and people that we know, I don't worry. But I have plenty of restrictions in place to prevent my employees from using the same wireless for bitorrent and other such illegal activities. And if a legitimate client has and issue connecting to their home office, I simply unlock the connection for them for their visit and then relock it back down once they are through. But my company would be liable for any wrong-doing and the management has accepted that risk and are aware of it. – MikeAWood Oct 22 '11 at 07:29
  • Another note on this: lets say you detect the activity and you act upon it. maybe it takes once, maybe it takes five times for you to catch on, but the fact that you make a concerted, documented effort to police your network is often enough to provide a shield against lawsuits. very difficult to bring a lawsuit against a company that openly and aggressively tries to protect their own and others' Intellectual Property. LOIC attacks notwithstanding, if you cooperate and act in good faith, thats more than half the battle. – Ben Campbell Oct 28 '11 at 14:09