Proactive approaches to finding vulnerable machines
- direct remote identification of vulnerability
- direct remote identification of backdoor login mechanism
- remote identification of use of Ethernet promiscuous mode
- abnormally high rate of packets either from or to the machine
- machine shows up on IRC with suspicious nick or channel
Copyright 2000, Massachusetts Institute of Technology.
All rights reserved.
- can do all these before known problems; not comprehensive
- new machines on network, or OS changes, occur very frequently
- often need to do vulnerability assessment in a reactive mode
- we receive mail reporting "attacks" from MIT machines
- most reports are misinterpretations of Gnutella or ftp
- less than 20% point out an actual compromised machine
- remote vulnerability check can help to confirm compromise
- problem: intruders may fix security problems after breaking in