At this point, I do not believe there are any services open for students to access servers remotely. But we are reviewing all of our rules. We actually started this process before the DDoS attacks started but they have heightened our awareness of the need to do so.
It is configured to not respond to ICMP. We have considered the possibility of an infected machine on that network. We have updated and scanned all Windows computers on that network (which aren't that many as we are a mostly Mac environment). We encourage students and staff to keep their devices updated. One of the issues here that we were well aware of prior to this is the fact that the High School wireless network, which is the one that keeps getting targeted, is wide open. We're in a different situation here with the setup - we are what's known as an AOS (Alternative Organizational Structure). This was in response to a law passed in our state a few years ago requiring consolidation of school districts. I'm the Technology Coordinator, which means I am over all IT in the AOS. But, each school is actually it's own district with it's own tech staff - we share certain resources (like a Superintendent and other Central Office staff) but there is a lot of local control at the school level, so much so that some things I can only make recommendations on and I cannot dictate what happens. It's very confusing and is really a ridiculous setup. But it is what I have to work with. The WAN is in my purview, as is the core LAN in each school. But the wireless network is actually the responsibility of the school and they therefore have the final say on what happens with it. The school tech staff make the decisions regarding the wireless networks - this is one of the areas that I can only make recommendations. Like I said - very confusing and it gets quite frustrating! My Network Admin and I keep recommending to the High School that they secure their network but they were steadfastly refusing - until now. Now they actually think it's a good idea (go figure). That may or may not have contributed to this spate of attacks but it certainly will help in the future. On Thu, Dec 10, 2015 at 3:11 AM, Robert Obrinsky <[email protected]> wrote: > Are there any services open on that interface so that students can access > servers from remote sites? Does your public address respond to ICMP? Is it > possible that some of your students' computers/devices are members of a > botnet and reporting back to a command and control server? Have you or > someone you have hired conducted a penetration test of your public > addresses? It seems too convenient that you are continually being > rediscovered. How long before the new public address gets attacked? > > As far as outbound traffic is concerned, are there any protocols that are > restricted, or is anything allowed out? I have seen hedge funds that were > very serious about security where they only allowed their staff to access > certain services from specific workstations. Granted, they almost certainly > had fewer employees than you have students, but the idea is that they only > allowed outbound services that were necessary for their business, and even > then restricted those services to the individuals who required them. I am > certain that the challenges of a high school population are much more > difficult to control. > > Bob > > > On 12/9/2015 12:32 PM, Joshua Young wrote: > >> We have been working with our ISP but I'm looking for something we might >> be >> able to do here. I don't think there is a service that is being attacked. >> It's always the same interface - it's the public NAT IP for our High >> School >> wireless network. We change the public IP address and the problem goes >> away - until the new one is discovered. We have cycled through I think 6 >> IP addresses now that are available to us from at least two different >> ranges. We have not re-used any addresses - most of the addresses that >> were targeted are currently disabled by our ISP. >> >> On Tue, Dec 8, 2015 at 10:05 AM, WebDawg <[email protected]> wrote: >> >> On Mon, Dec 7, 2015 at 10:40 AM, Joshua Young <[email protected]> >>> wrote: >>> >>>> We have recently been the target of DDoS attacks. The same interface is >>>> targeted each time. Is there any way we can shut down this interface >>>> automatically when this happens? Is there a way to maybe set a >>>> threshold >>>> for traffic and, when it reaches that threshold, automatically shut the >>>> interface down? When this happens, the pfSense is overwhelmed and our >>>> entire WAN loses Internet connectivity. I figure if we can shut the one >>>> interface that is being targeted down before the traffic gets to the >>>> >>> point >>> >>>> of saturating our bandwidth, then just that one network would be down >>>> rather than our entire WAN. >>>> >>>> -- >>>> >>>> >>> --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- >>> >>>> "The number one benefit of information technology is that it empowers >>>> people to do what they want to do. It lets people be creative. It lets >>>> people be productive. It lets people learn things they didn't think they >>>> could learn before, and so in a sense it is all about potential." >>>> >>>> >>>> - Steve Ballmer >>>> >>>> >>> --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- >>> >>>> Josh Young >>>> Educational Technology Coordinator >>>> >>>> *Mount Desert Island Regional School System - AOS 91* >>>> 1081 Eagle Lake Road, Mt. Desert, ME 04660 >>>> P.O. Box 60, Mt. Desert, ME 04660 >>>> Phone: (207) 288-5049 | Fax: (207) 288-5071 >>>> _______________________________________________ >>>> >>> >>> >>> Can we have more details on the DDoS attack? Are you sure their are >>> no other solutions then shutting it down? Why would it freeze? Is a >>> service hosted by pfSense being attacked? >>> _______________________________________________ >>> pfSense mailing list >>> https://lists.pfsense.org/mailman/listinfo/list >>> Support the project with Gold! https://pfsense.org/gold >>> >>> >> >> > -- > Robert Obrinsky President Robert Obrinsky Industries, LLC 1908 SE 45th > Avenue Portland, OR 97215 Office 503.719.4387 Mobile 503.752.8489 > http://www.roillc.com > _______________________________________________ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold > -- --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- "The number one benefit of information technology is that it empowers people to do what they want to do. It lets people be creative. It lets people be productive. It lets people learn things they didn't think they could learn before, and so in a sense it is all about potential." - Steve Ballmer --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Josh Young Educational Technology Coordinator *Mount Desert Island Regional School System - AOS 91* 1081 Eagle Lake Road, Mt. Desert, ME 04660 P.O. Box 60, Mt. Desert, ME 04660 Phone: (207) 288-5049 | Fax: (207) 288-5071 _______________________________________________ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
