Session Abstract

While there was an IPS device in place at the network border, and processes in place to automatically shun IP addresses exhibiting malicious behavior, the reaction time for this process could be as long as 30 minutes. Analysis of logs indicated that as many as 2/3 of the IP addresses shunned via this process never actually recorded a block; in other words, many of these malicious IP’s completed their activity and moved on before the block could become effective.

This session will discuss Pros and Cons of various methods for blocking malicious traffic and demonstrate automated techniques for different options. The discussion will include lessons learned from blocking malicious traffic at large higher education institutions over several years.