Proactive approaches to finding vulnerable machines

• direct remote identification of vulnerability
• direct remote identification of backdoor login mechanism
• remote identification of use of Ethernet promiscuous mode
• abnormally high rate of packets either from or to the machine
• machine shows up on IRC with suspicious nick or channel

• can do all these before known problems; not comprehensive
• new machines on network, or OS changes, occur very frequently
• often need to do vulnerability assessment in a reactive mode
  • we receive mail reporting "attacks" from MIT machines
  • most reports are misinterpretations of Gnutella or ftp
  • less than 20% point out an actual compromised machine
  • remote vulnerability check can help to confirm compromise
  • problem: intruders may fix security problems after breaking in

Copyright 2000, Massachusetts Institute of Technology. All rights reserved.