What is RPC Reporter and what does it do?
RPC Reporter is a Faceless Background Application which runs under Mac OS 7.6 through Mac OS 9.x on PowerPC Macintoshes and silently monitors for incoming Internet intrusions on TCP Port 111 (Sun Remote Procedure Call service). This is a service which is commonly sought after by intruders in order to setup a machine as a zombie for directed denial of service (DDos) attacks on a targeted host.
When RPC Reporter detects such an intrusion, a user is notified of the intrusion and a filter is applied which fully prevents the intruder from any access to your Macintosh. The intruder will not be able to obtain any information which would permit them to "fingerprint" your machine and try to access it via any other manner. The user can then optionally choose to report the intrusion by simply holding down the "Shift" key on their keyboard while closing the intrusion alert.
The RPC Service does not run on Mac OS 9.x and earlier. So why should Mac users be concerned?
All Macintosh users should be concerned about such intrusions for the following reasons:
Attempted RPC intrusions are for real and increasing. If there is any doubt, please see the National Infrastructure Protection Center bulletin dated April 30, 2001.
It is important that Mac users understand what is involved in these intrusions and act together in order to mitigate these attacks.
Will RPC Reporter run under Mac OS X?
No, not at this time. Not even under a Classic environment. We are currently developing a version of RPC Reporter to run under Mac OS X.
What happens when I choose to report an intrusion?
A user reports an intrusion by holding down the "Shift" key on their keyboard when they close an intrusion alert. This will take their open browser to a special page on our site where the intrusion is logged. This page will also display how many times this same IP address and network have been involved in similar intrusions with other Mac users within the past 24 hours. Sustainable Softworks will monitor tthis data and inform appropriate authorities of these events. In ALL cases your identity remains anonymous.
Can I obtain any other information regarding the intrusion?
You can directly run a Trace Route on the intruder's IP address through our IPNetMonitor application. To do this just hold down the "Control" key when closing the intrusion alert.
A trace route will trace every router along the path back to the intruder. In this manner you should be able to determine from what country or region (and backbone network provider) the intruder originates. NOTE: because RPC Reporter automatically installs a filter blocking ALL datagrams from an intruder, a trace route will NOT show return packets from this intruder. The last returned packets will originate from the router nearest the intruder.
RPC Reporter makes it easy to perform a trace route on an intruder. But before you can do this you must:
To setup the Internet (Internet Config) control panel:
Now, anytime you receive notification of an intrusion, you can automatically run a trace route on this intruder by simply holding down the Control key on your keyboard and closing the notification alert.
Can I both report an intrusion and run a trace route on it?
Yes you can. Just hold down both the "Shift" and "Control" keys when closing the intrusion alert.
I left my Macintosh on overnight and it received an intrusion alert. Was my Macintosh still protected from other RPC intruders even though the intrusion alert was left on the screen?
Yes. Due to the way that notification alerts are handled in the Classic Mac operating system, RPC Reporter can only display one notification alert at a time. Your Macintosh, however, is still being protected.
Does RPC Reporter create a Log file?
Yes, The file is called "RPC_Reporter.log" and resides in your System Preferences folder. This file is a plain text file and is reset each time you restart your Macintosh. This file logs several events, including all RPC intrusions.
How much does RPC cost?
Nothing. It is freely available, and the RPC_Reporter_Installer can be freely distributed.
Are there other types of intrusions about which I should be aware?
Yes, there are. Intruders often seek other available services such as Telnet, SMTP, SOCKS, and lpd, to name a few. For the Macintosh, TCP/IP Filesharing (TCP Port 548) is often sought. In order to monitor for these types of intrusions please see our IPNetSentry application. IPNetSentry also offers flexibility in the way you are notified (alert, browser, AppleScript, etc.), and permits you to setup other type of fixed filters (example: a TCP/IP filesharing filter so that only trussted and identified remote IP addresses have access to your machine).
I have a cable modem which serves both my Macintosh and my Windows machine. Does RPC Reporter protect my Windows machine?
No, RPC Reporter will only protect your Macintosh when both machines are directly connected to the cable modem (through a HUB or Switch).
When you have more than one machine, we strongly recommend that only ONE of your machines be directly connected to the Internet. Your other machines are much safer if they access the Internet through a Network Address Translation router which also serves as a firewall.
Our IPNetRouter software will let you use your Macintosh as a Network Address Translation router for all of your machines on a network (other Macintoshes, Windows machines, Linux boxes, etc.). IPNetRouter will also let you use your machine as you normally would (IPNetRouter is very efficient and uses very little CPU time or memory resources). By running IPNetRouter on your Macintosh, with RPC Reporter (or IPNetSentry) also running on this machine, you have a fully protected network. In addition, since you are sharing a single IP address among ALL of your machines, you often save money.
|© 2000-2003 Sustainable Softworks Privacy