4. Security blocks

Network-level blocks will generally be applied at the backbone routers, by MAC address or IP address as appropriate, in order to isolate the system from anything but its local network, and for the protection of the remainder of the University network and the global Internet. Please bear in mind that this does not necessarily protect systems on the same network from attack by the compromised system.

MAC address blocks are generally preferred as many networks are using dynamic IP address assignments. This avoids collateral damage to other systems later assigned the same IP address, and the block remains effective should the compromised host later be assigned a different IP address. However, MAC address blocks are incompatible with firewalls which do routing or proxy-ARP, or in certain circumstances may be inappropriate for other reasons; in such cases blocks will be by IP address. Note that a MAC block is specific to a particular network connection; a block against that MAC on one unit's connection will have no effect elsewhere on the University network.

Upon receipt of a notification, please promptly isolate the system from the local network pending further examination, for instance by using a port block if you have managed switches.

OxCERT will endeavour to notify local ITSS as soon as possible, but at particularly busy times the notifications may be delayed or overlooked. If you suspect that a host has been blocked but have not received a notification, please check against the blocks list from any system within the University network, and contact us if necessary. A brief summary of the reason for each block will be given.

Up: Contents Previous: 3. Notifications and correspondence Next: 5. Keylogging malware