Dorm Net Security Thread

[ktk_ace]

As a student living in a dorm, i hereby request information and tips on how to set up a good internet environment for all students.

some common problems encountered leading to extreme lag and/or disconnection in our dorm

1)
Virii,trojans ,worms and this nasty program called 3721 (from a china website hxxp://www.3721.com) leading to switch hangs or restarts resulting from too much packets from guilty computer .Norton DOES NOTHING about trojans , worms and stuff like that and its not certified....horrid but almost 90% of all people use it )

2)
Bitorrent choking the upload bandwidth (might also be mass upload of packets due to infection from above or using ftp/hosting websites/contents natively)

>>>>>
the most severe and common problems affect the server and switches as bittorrent eats int server cpu capacity like a BFG2000 thru almost anything organic -.-

as for the server problem, we found a temp solution by "borrowing" a seperate server from the girls dorm(and it wont be return for a ....um... long time XD)

specs of our LAN environment:

15 story building

4 ip switches per floor totalling 96 plugs per floor (with min 75% plugged in 24/7 )

server unknown spec and i know it sux cause the cpu usage minmum stucks at 95% (i dont have access to it)

3rd-14th floor occupied by us students

in/out line dual 100mbps TANET/HINET

Any tips on how to improve th quality of our internet? going from room to room inspections is out of the problem as we are severely shorthanded(only 12 internet rescue members) and NOT paid to do this ( i get a big merit ....damn i'll get rich if i habdle it case by case and they pay me 5 bucks a pop)

What i wish in a solution might involve a server/switch side connection block from "guilty" computers to prevent server overloads/switch hangs .

Please feel free to contribute as i think other dorms all over the world face the same problems more or less.

 

[alrox]

I would recommend to the students to get and install some form of real time spyware protection to go along with their antivirus protection, like Microsoft Antispyware. This can catch the spyware/trojans/worms before they start and clean them out if they already exist.

What exactly is the 'server' being used for?

No switch should hang from 'too many packets'. Any switch worth its weight should be able to do 100% up/down on every port and not hiccup. That is clearly a bug in the switch or bad switch hardware, or a blatant misconfiguration of the ip routing on the switch.

What I would do is put in a filtering bridge running FreeBSD and dummynet on your internet uplink and rate limit the most heavily used incoming ports(bittorrent, ftp servers students are running, etc). That should free up a lot more bandwidth. If your switches are indeed layer 3 switches, you can do rate-limiting/traffic-shaping on them as well but that would be an added load to a switch that's locking up already. But it would be worth a shot if you don't have access to another PC to do the bridge.

 

[LonerVamp]

Ruling out going room to room really narrows your choices. Basically, you can tell people to use AV and spyware, but are they really going to do it without someone assisting them or making them do it with room to room inspection? Not likely. Besides, these are their computers, so you can only go so far with imposing restrictions or mandatory programs.

You seem to have identified that you have Internet disconnection and quality problems. You seem to also have identified that some/most of this may be due to network congestion.

I think what you need to do is determine whether you truly need all the students using BitTorrent. In every company, unless the IT guys are the ones wanting to use it and thus clam up about it, P2P programs are a HUGE bandwidth drain. And guess which one is the worst of them? Yup, BitTorrent.

You will not become a popular person in the dorms, but you *could* start blocking incoming requests from the Internet and/or blocking BitTorrent in particular. If you do this, I can nearly guarantee your network congestion will decrease dramatically. However, you still might have issues with the spyware and such.

You should talk to to your campus IT group. BitTorrent *can* be something they legally get in trouble for, especially if they are allowing it and not doing anything to stop it...negligence.

But that isn't the only thing you should talk to them about. You should talk to them about determining how to monitor network usage on a student by student basis. Once you've monitored this, you can find out who the biggest offenders are, which ones actually affect network/switch quality, and maybe even get some averages. You can use these averages and other data to create caps on network usage. This is a practice used in many public and not-so-public universities now, because of just the situation you have described. Gaming (a very big hit on the network too), P2P networks, music streaming, mp3's, and spyware/trojans/adware are your biggest concerns. You could also include local network file sharing (which they will do once you take away BitTorrent), but for the most part, that should be allowed. However, you cannot impose network traffic caps like this without some hefty help from your IT people in setting up the network that way, and to make sure this goes through the proper channels. Students *will* minorly protest this, although if your cap is high enough, they just need to be instructed that most people won't notice it...but be prepared for pushback.

The next best thing there is to segment off your network in any number of ways. This way if one segment is having some spyware infestation, at least it won't bring down everything. Sadly, I can't go into detail about this.

Might it be possible your switches have had such activity that they have reverted to hubs? Instead of managaing the overhead of telling traffic where it should go, it just sends all traffic everywhere?

 

[ktk_ace]

well as im the person mainly in charge of " outbreaks" that disconnect our entire floor (the 8th floor precisely) system, i have to go to the switch and disconnect hubs with lights that flash orange consistently.....can anyone tell me what it means? theres green flashing lights and orange ones.... :x

And im not the head of our dorms rescue teeam either so disconnecting someone physically solves the problem ASAP as we go to his com and run stuff like avg antivirus and spybot s&d.

we do have upload caps at 500kb/line and the IT department wont go any further cuz they say its a students right to use the net or they will complain (what the !? ).

bitorrent IS illegal but our school goes to great lenghts to protect its students from the riaa and mpaa ....... at the expense of other student's internet quality -__-

as i said the server is beyond me but i will check on the type of switches we have and impliment caps or blocks on bandwidth beyond a specified range.

btw as for the server, its ladened by Bitorrent connections.

example:

internet explorer/firefox uses only one connection per page = 1-5 connections

1 bt links 5 seeds 15 leechers = 20 connections

imagine a bitcomet freak connecting to 20 bt sources = min 400 connections

we just need a few assholes (10) per floor to crash or overload our server.
( 12x400x10= 48000 connections )

and of cuz its the theratical minimum :x

 

[LonerVamp]

Your IT is not fully thinking about the situation. Yes they can put caps on, and it's not a student's "right" to be able to always download...basically the IT I think needs to include management. Quality of link should take precedence over unlimited dl/ul.

Amber lights can indicate a few things:
- a computer was just turned on, and the computer is still negotiating the connection.
- there may be collisions on that particular port; maybe overutilization
- there may be a physical issue with the port, where it is not functioning properly

Typically green flashing lights is a good sign; and the quicker it flashes, the more traffic there is.

You should be able to look up the switch model online and get a more accurate and technical description of the status lights.

 

[Rombus]

Ok, first a disclaimer, I’m only speaking for Kent State U. in my examples, Chances are this is completely different for your network, but the same practices can still apply. im a ResNet Computer Consultant with 3 years experience on our network.



First you need to sit down with the IT Department and make some suggestions. You really should have a site licensed virus scanner, or atleast a policy on virus scanners on student machines. At KSU, we require you use our version of McAfee 7.1 with our settings, or a comparable up to date virus scanner. If ResNet works on your computer Without a virus scanner, and we find a virus, we charge you a $20.00 fee.



Second, you need to have capped upload download speeds, KSU Uses packeteer, and we are moving over to Perfigo for our entire authentication soon. IF I remember correctly, we are currently running a 512kbit/56kbit down/up speeds. We don’t get too many complaints, except from the hardcore users. Also our Internet 2 bandwidth is either uncapped or has a very high cap since games and other stuff over inet2 run super fast and keeps most of the gamers happy.



Are you using 3com equipment? 3Com switches with flashing orange or green lights (Flash on and off, not traffic flashing) usually indicates a disabled port state that has a link. At KSU over 90% of our dorm ports are directed connected to 3com 24 or 48 port 3300 or 4400 switches. That gives us room port level control over whos on or off. Network Services (entire campus IT department) Can either switch off that port, or even block them at the VLAN Router level, or even on each of the 4 vlans if they jump around (laptop). This means that nearly any virus outbreak can be quelled within a few hours of initial symptoms and reports. If the attack is on a certain port it will be blocked at packeteer. For the last 3 major attacks, we have had probably less than 5% infection rates; Problem is with over 5,000 connections under ResNet control that means our tech support office has to touch roughly 200 computers.



So sit down with IT and make some suggestions!

 

[Malk-a-mite]

That gives us room port level control over whos on or off. Network Services (entire campus IT department) Can either switch off that port, or even block them at the VLAN Router level, or even on each of the 4 vlans if they jump around (laptop). This means that nearly any virus outbreak can be quelled within a few hours of initial symptoms and reports. If the attack is on a certain port it will be blocked at packeteer. For the last 3 major attacks, we have had probably less than 5% infection rates; Problem is with over 5,000 connections under ResNet control that means our tech support office has to touch roughly 200 computers.

And that is actually becoming a very common way to deal with virus problems on many campus (4 in my area have put together similar systems in the past 2 years). The additional part I've seen is to drop the infected system to a new VLAN. That then resolves all their DNS requests to an internal school webpage which instructs them to download new virus protection and anti-spyware software. Then it gives them the phone number of the net admins to call and request to be removed from the block list (by MAC address). All in all not a bad system, not perfect but not bad.

Question for ktk_ace
"bitorrent IS illegal " - Can I assume you mean to use on your campus? Since as a tool it is no more illegal than a hammer (at the moment at least). Or possibly are you outside the US with a different legal ruling on the matter?

 

[ktk_ace]

sorry about the bitorrent is illegal stuff as i was trying to say that the contents that students mostly download is illegal or copyrighted stuff and not the program itself although the IT department has a bad impression of bt as atool for downloading "stuff"

and yeah many companies in my country has written letters threatening to sue our students , they use "packet sniffers" on their antipiracy servers and "sniff" out the packets contents and which ip it goes..... not just our uni but lots of others too. sorry for the misintepertion.

as for the amber light..... theres 2 states , a constant on and a constant flashing. what are they? and yes our switches are real cheapo OEM stuff from taiwan so hell the possiblilty of them being layer 3 switches is nadda.

so the question remains for the amber lights:

what is:
1) a constant on light

2) constant flashing light ???

if they are switch specific and not standardized then nevermind about my question ^^

 

[Rombus]

The additional part I've seen is to drop the infected system to a new VLAN. That then resolves all their DNS requests to an internal school webpage which instructs them to download new virus protection and anti-spyware software.

KSU has the capability to do this, but ive only seen them do it during Blaster 2 years ago, worked great, but apparently it was pretty hard to setup on the IT Side, so they havent done it recently. From what i hear, Perfigo will alow for thise pretty easily. If i do get the chance to work on perfigo implementation and our gigE implemntation this summer, it could be intresting to see all what its capable of.

ktk_ace, Most status light displays are switch specific. If you give me the manufacuter i could possibly look it up for your.

 

[Malk-a-mite]

Perfigo will alow for thise pretty easily. If i do get the chance to work on perfigo implementation and our gigE implemntation this summer, it could be intresting to see all what its capable of.

Wow, Perfigo looks like they have a very nice setup.
http://www.perfigo.com/images/cm_process.gif
(tried posting the image but the text doesn't display very well)

If you do get a chance to work with this please post a thread with how it goes for you.

 

[ktk_ace]

Any pricing plans for the Perfigo system?? and no one kind enuff has answered my questions yet....-.-

 

[alrox]

Any pricing plans for the Perfigo system?? and no one kind enuff has answered my questions yet....-.-

Your question was answered in my first post. Simply rate limit the most heavily used ports. I mentioned 2 ways of doing this. If it is heavy web traffic to spyware sites that is causing a rise in bandwidth usage, find the IP's of their servers and null route them on whatever router the students are behind.

You did not answer my question of

What exactly is the 'server' being used for?

Is it a proxy? Is it the 'router' for the students(default gatway) ? Is it rate-limiting things already? What exact does it do?

As far as your switches go, contstant flashing is traffic going through that switchport, and a solid light means no traffic or in some switches, a 10mb/half duplex connection. Impossible to know without the model # of the switch, but it should say on the switch itself. Are they even switches, or are they hubs? If they are locking up still, then they are bad. Have them replaced or deal with rebooting them.