May 05, 2008
John Ives, IST—System and Network Security
The System and Network Security (SNS) group in IST's Infrastructure Services department has announced the deployment of a new service, the Aggressive IP Distribution (AID) list. The AID list is a group of Internet IP address locations from which SNS has seen aggressive attacks being launched towards campus hosts in an attempt to exploit known security weaknesses. The data for this AID list is derived from both campus-run intrusion detection systems (IDS) and various other systems on campus.
Using IDS and actual system records, aggressive IP addresses and the period of time during which suspicious activity was detected are saved to a file. Every 15 minutes, that file is checked for changes and an updated AID list is created. The AID list contains all unique aggressive IP addresses, unless they are whitelisted, and the time they were last seen. Aggressive IP addresses that have shown no activity in two weeks are removed from the AID list.
The AID list can be used either proactively, by using local firewalls to block aggressive host IPs, or reactively, by checking logs to look for successful attacks or break-ins from IPs on the list.
Because weak passwords have always been a major problem in IT security (and will remain so as long as passwords are used as a primary authentication method), the AID list will be limited initially to suspicious systems scanning for SSH servers, or systems that are attempting to guess passwords over SSH or FTP. As the service evolves it could eventually include hosts seen performing other attacks such as "SQL Injection" or "PHP include" attacks.
[ iNews | Search | IST | UC Berkeley Computing | UC Berkeley ]
iNews: UC Berkeley information technology news channels
Copyright 2007, The Regents of the University of California