NACS has implemented an Intrusion Detection System (IDS) in an effort to reduce “Distributed Denial of Service” attacks which both deny legitimate users access to the network and drive up UCI’s network costs.
The Dragon IDS and Argus (Audit Record Generation and Utilization System) systems were installed recently at the campus border router. At present, the IDS is in a “learning” state so that it does not adversely impact campus users. This involves turning off network usage patterns (“signatures”) that are common at UCI or otherwise not worth worrying about, tuning others to report just traffic from off-campus to on-campus hosts, and telling it to ignore some signatures for some hosts. This will be an on-going effort, and should result in better sensor performance on the IDS server over time.
The Argus software is collecting data on the flows it sees. This data will be useful if we find a system that has been compromised, as we may be able to track down what system attacked it using what exploit, and then we can report it to the off-campus network service provider responsible for the offending computer.
NACS has already found two systems on campus that appear to be “stacheldraht” agents, and two that appear to be “trin00” daemons (stacheldraht and trin00 are distributed denial of service attack programs). You can read more about trin00 and stacheldraht at
http://staff.washington.edu/dittrich/misc/trinoo.analysis.txt
http://staff.washington.edu/dittrich/misc/stacheldraht.analysis.txt