Recently the university web-based registration system was the subject of a DDoS (Distributed Denial of Service) attack. This type of attack is characterized by flooding the target system(s) with more network traffic than it can process, thereby forcing the system offline or limiting its ability to respond to legitimate traffic to a negligible level. It is different from a DoS (Denial of Service), in that multiple computers (potentially thousands) are used to increase the amount of traffic sent to the victim. The result of the recent attack was the complete shutdown of the web registration server and the inability of any student to register for classes for approximately 24 hours. It was further determined that the attack originated from inside our internal network; no evidence has been found that an outside attack was able to penetrate our protective layers. To that end, we have compiled a report detailing proposed protective measures that may help prevent such attacks in the future. The investigation determined that he attacker was able to obtain an administrator level password using a password-sniffing application. These applications scan network traffic and pick out username and password combinations. It is believed that since this software was deployed on a large section of our computers, it was simply a matter of time before it detected a password used by our Information Systems staff. Once the password was obtained by the attacker, he/she was then able to log into any machine and install the software used to control the computers in the DDoS attack. It was further determined that the password was sniffed specifically from a remote login session by an IS staff member to a remote machine. Information Systems strongly suggests that we implement a new security policy that requires all remote connections to be made using an encrypted process. The encrypted transmissions will prevent sniffers from reading any information contained in the captured packets. The next security policy continues from the first; publically accessible computers need to have further control restrictions placed on them. We can ensure that remote connections are encrypted, to prevent packet sniffers from reading transmitted information, but that stills leaves computers vulnerable to locally installed malicious software. The access control policy, for the entire university, needs to be strengthened; no network accounts, other than administrators, will have the ability to install software on any computer. All new installation requests will need to be approved, then directly installed by IS staff. Third, network monitoring. A network monitoring package needs to be implemented across the network. This package can perform a number of needed administration functions, but its ability to look for known attack signatures in transmitted packets is what we will focus on presently. All network connected machines send packets of information across the network to other devices/machines. A network monitoring platform can be programed to identify the signatures of known DDoS programs, similar to how humans can be identified by having different fingerprints. Upon detection of a possible threat several different actions can happen. An alert can be sent to IS with information about what machine(s) are actively sending the information, it can also provide information on what signature triggered the alert. This alert will immediately allow IS to shut down connectivity to that machine(s) and to begin researching the attacking program. The monitoring program may also provide the means to automatically stop traffic in/out of that machines until IS can inspect the alert. Another possible configuration of monitoring software is to inventory installed software packages and report any changes to the administrators. Administrators can then identify who was logged into the machine at the time the software was changed/installed. These three security policy changes, if implemented before the attack, would have stopped the attack completely. It is unfortunate that the attack was successful, but it did illustrate several holes in our current security posture. We need to take the information learned from the attack and implement changes to prevent such attacks in the future. Not doing so leaves us vulnerable.