CSIRT

13 August 2012 at 3:30pm

Incident Statistics for July 2012

James Davis
CSIRT
infosec
statistics
Category Count Compromise 193 Copyright 53 Denial of Service 2 General Query 1 LEA Query 5 Legal/Policy Query 2 Malware 87 Net/Security Query 10 Other 15 Phishing 30 Scanning 37 Social Engineering 2
Read more
6 July 2012 at 10:24am

Incident Statistics for June 2012

James Davis
CSIRT
statistics
security
Category Count Compromise 62 Copyright 119 Denial of Service 3 General Query 4 LEA Query 2 Legal/Policy Query 0 Malware 153 Net/Security Query 13 Other 15 Phishing 19 Scanning 42 Social Engineering 1
Read more

2010 - House of Lords enquiry into EU Internal Security Strategy

Andrew Cormack
Thursday, June 28, 2012 - 13:23
CSIRT
Cybercrime
incident response
This is JANET(UK)’s submission to the inquiry into the EU Internal Security Strategy by the Home Affairs Sub-Committee of the House of Lords Select Committee on the European Union.
Read more

Janet CSIRT Conference

James Davis
15 October 2013 at 1:05pm
CSIRT
infosec
networking
security
The event will include presentations from the community and cover a range of topics within computer and network security. This event is primarily aimed at the Janet security contacts and those responsible for user, campus, site and network security. Please note it is only open to sites with a Primary connection to Janet. Online booking and further information will be available after August
Read more

Security Birds of a Feather at Networkshop

James Davis
15 October 2013 at 1:05pm
CSIRT
security
CSIRT's annual Security Birds of a Feather session at Networkshop. As usual this will be an opportunity for the free form discussion of security issues affecting your systems and Janet.
Read more
6 June 2012 at 11:16am

Government CERTs and Information Sharing

Andrew Cormack
CSIRT
Data Protection Regulation
Privacy
incident response
I've had three discussions in two days about whether Government CERTs are different from others, which makes it a FAQ! It seems to me that legislation may be heading that way, and that that could create a potential problem for sharing information.
Read more

References

Anonymous
Sunday, February 19, 2012 - 17:58
security
CSIRT
DDOS
denial of service
technical guide
[1] Wikipedia - IP address spoofing: https://en.wikipedia.org/wiki/IP_address_spoofing [2] ZoneAlarm: http://www.zonelabs.com/ [3] Snort - the Lightweight Network Intrusion Detection System: http://www.snort.org/
Read more

Aftermath

Anonymous
Sunday, February 19, 2012 - 17:58
security
CSIRT
DDOS
denial of service
investigating
technical guide
In this particular incident, the initial tip-off led directly to the departmental network containing the compromised hosts. This information is not always so readily available, since IP spoofing can also be used to simulate traffic from machines on many different networks. Such a situation could be handled by repositioning the network monitor on the backbone (at M’ in the diagram, for example), and again examining the source MAC addresses of attack packets (but note that performance is likely to be a concern, with monitors dropping traffic at gigabit speeds).
Read more

What we saw

Anonymous
Sunday, February 19, 2012 - 17:57
security
CSIRT
DDOS
denial of service
investigation
technical guide
We left the monitor in place for two days, until our log fi le began to grow rapidly indicating a new attack in progress. The following entries are typical of what was observed: [**] IDS253 - DDoS shaft synflood outgoing [**] 06/12-14:30:46.599036 8:0:20:1B:22:A9 -> 0:D0:D3:56:D1:30 type:0x800 len:0x3C 98.76.54.111:1008 -> 12.34.56.78:6666 TCP TTL:30 TOS:0x0 ID:59926 DF
Read more

The network monitor

Anonymous
Sunday, February 19, 2012 - 17:57
security
CSIRT
DDOS
denial of service
investigating
technical guide
Our monitor is a Linux system running the Snort lightweight intrusion detection system [3]. Demands on hardware are not very high: we use a redundant Pentium 133-based system with two 10/100Mbit/s network interface cards, 128MB memory and 4GB disk space. This allows us to use one interface to access the console, while the other is dedicated to the RSPAN traffic. It is configured with a minimum number of services running and no user accounts [4].
Read more
Subscribe to CSIRT