I am admin of a small network. Users in our network have access to internet through a squid NAT server.
Recently, we have detected that some users are using LOIC to attack servers on the internet. How can I detect and block such attacker automatically?
Is there any straightforward way for this (e.g. blocking an especial port or pattern?) Or I have to use a intelligent software that detects misbehavior of our users and blocks them?
A temporary IP-based blocking is sufficient for us.
mailq's comment isn't so much anarchist as it is the Right Answer for Most Cases.
If users are using corporate (or school, etc) resources to perform illegal activity (whether it is on the Internet or not), appropriate measures should be taken to let them know that this is completely unacceptable.
Nobody should be anonymous on your network, you should be able to easily track it down to a specific computer (DHCP lease) and most likely a specific user.
Given all that, The Spiderlabs Blog has an article on snort rules to detect LOIC activity. Implementing snort may be your best option if you really can't address the problem through education or a LART.
Ben's comment brings up a whole 'nother can of worms. Consider: