[Beowulf] Re: "hobbyists"

Perry E. Metzger perry at piermont.com
Fri Jun 20 15:05:18 PDT 2008 

stephen mulcahy <smulcahy at aplpi.com> writes:
> Perry E. Metzger wrote:
>> It is, to some extent, a question of how many people are interested in
>> a particular attack vector. Internet Explorer is a major attack vector
>> for people who make money at this, so they work hard finding the bugs
>> in it, of which there are an apparent endless number. I believe that
>> more than 250 days last year, Internet Explorer had a known but as yet
>> unpatched vulnerability. That's why the overwhelming majority of
>> Windows boxes are zombies, including almost certainly most of yours
>> unless you are a really unusual sysadmin.
>
> I'm reading this to mean that you think most Windows boxes on most
> networks are zombies - is that right?

Most are infected with something -- spyware, keyloggers, etc. I may be
slightly wrong on zombies -- that number might be a bit smaller. I
haven't checked the stats in a while. But, yes, it is an insane
fraction of the machines out there.

>> If you're smart, you're listening on:
>>
>> * DNS, with bind configured to run chrooted and unprivileged
>> * sshd running with priv sep
>> * ntpd running chrooted and unprived (though not all OSes will allow
>>   you to do that.)
>> * maybe SMTP via postfix, which runs chrooted and unprived
>> * and NOTHING ELSE.
>>
>> And if you're really smart, those daemons are further tied down with
>> various bondage and discipline equipment like apparmor or SE Linux or
>> what have you.
>
> Ouch, it's a never-ending battle isn't it?

Yup.

>> If you really believe your local net is very good, run a sniffer on it
>> for a while -- or talk to someone who's job is to run one.
>
> I'd love to know how anyone with skype running on their network
> manages to see much of anything from the firehose that is a packet
> trace (and our network is small). Again, maybe it's just a question of
> time.

You tell tcpdump to filter out the skype packets. :)

More seriously, if you want to analyze a trace from a big network, you
record a couple of minutes worth and you have automated tools tease it
apart. You don't try to do it by hand. There's lots of good open
source stuff out there now that will do what you need.

Perry

More information about the Beowulf mailing list