June 24th, 2002 by Dana Roode
Several changes to the campus electronic mail delivery system have been made recently to improve network security, without adversely impacting performance.
The number of computer virus infections has been steadily increasing over the past several years and is continuing to rise. Many computers are lacking the necessary virus detection software and do not have the most recent security patches to prevent virus infection.
NACS has therefore modified the campus Mail Transfer Agent computers (MTAs) to employ software called “MailScanner” and “Sophos Anti-Virus Interface” (SAVI) to limit the number of viruses campus personnel receive via e-mail.
MailScanner is software which examines every e-mail message coming onto campus. If the message has an attachment, it hands the attachment to SAVI, which tests the attachment to see if it carries a virus. Details of these mail processing steps are available athttp://www.nacs.uci.edu/email/virus-scanning.html The database SAVI uses to identify viruses is automatically updated every night.
The campus receives approximately 180,000 messages a day, and to compensate for the additional computation represented by MailScanner and SAVI, the MTAs have been upgraded to new SunFire 280R systems. In the first few weeks of use, MailScanner and SAVI successfully deflected 10,000 viruses a day, representing about 7% of the total mail volume the campus receives. 75-80% of those viruses have been “Klez” which is particularly harmful as it disguises the actual sender of the attachment. Because of this, some people on campus have been warned they sent viruses that they were not, in fact, responsible for. NACS has decided to temporarily cease issuing notifications to senders of viruses, due to the confusion this causes.
While e-mail is the most common way of getting a virus, and while the new system limits e-mail borne viruses from off campus, individual owners should remain actively involved in the protection of their systems from viruses. Seehttp://www.nacs.uci.edu/security/virus.html for more information.
Future efforts will include an assessment of the feasibility of removing Unsolicited Commercial Email (UCE or Spam). Comments are welcome: nacs@uci.edu
June 24th, 2002 by Dana Roode
UCI’s Internet traffic increased at an alarming rate during the first 4 months of 2002. UCI’s bill includes a fixed component, plus an additional cost based on actual usage.
NACS monitors usage levels on behalf of UCI. The primary two sources of traffic increase in 2002 might be characterized as “recreation” and “abuse”
“Recreation” includes downloading large video and audio files using “peer to peer” applications similar to Napster. NACS has limited the bandwidth allotted to peer to peer applications in an attempt to reduce recreational usage and its impact on campus costs.
An example of abuse would be an unauthorized person taking over a campus computer, and using it as a remote server. NACS is addressing abuse through several activities, including analyzing daily network traffic looking for “top talkers.” These are the machines making a disproportionate demand on the network. NACS can sometimes find compromised systems in normally quiet machines that suddenly start making unusual demands of the network.
NACS has collected links regarding network metrics and campus Internet usage at http://www.nacs.uci.edu/ucinet/metrics
June 24th, 2002 by Dana Roode
NACS has implemented an Intrusion Detection System (IDS) in an effort to reduce “Distributed Denial of Service” attacks which both deny legitimate users access to the network and drive up UCI’s network costs.
The Dragon IDS and Argus (Audit Record Generation and Utilization System) systems were installed recently at the campus border router. At present, the IDS is in a “learning” state so that it does not adversely impact campus users. This involves turning off network usage patterns (”signatures”) that are common at UCI or otherwise not worth worrying about, tuning others to report just traffic from off-campus to on-campus hosts, and telling it to ignore some signatures for some hosts. This will be an on-going effort, and should result in better sensor performance on the IDS server over time.
The Argus software is collecting data on the flows it sees. This data will be useful if we find a system that has been compromised, as we may be able to track down what system attacked it using what exploit, and then we can report it to the off-campus network service provider responsible for the offending computer.
NACS has already found two systems on campus that appear to be “stacheldraht” agents, and two that appear to be “trin00″ daemons (stacheldraht and trin00 are distributed denial of service attack programs). You can read more about trin00 and stacheldraht at
http://staff.washington.edu/dittrich/misc/trinoo.analysis.txt
http://staff.washington.edu/dittrich/misc/stacheldraht.analysis.txt