		Home About IS&T Contact IS&T Site Map	Search Advanced Search

	What to Do if You Detect or Suspect Problems Indications of a System Attack What to Do if Your System is Being Attacked What Not to Do if Your System is Being Attacked

	IT Security at MIT

	security@mit.edu

IT Security: What to Do if You Suspect a Network Break-in

What to Do if You Suspect Problems

Review the indications of a system attack.
This section lists common problems, their causes, and steps that you can take to determine if your problem is indeed the result of an attack on your machine.
After reviewing the indications of an attack and determining that your system might be compromised, learn what to do if your system is being attacked.

Important!: Respond to an attack only by reporting the incident and securing your system as instructed. Do not attempt to respond to the attacker yourself; an attack on your system will be dealt with in an official manner by IT Security Services. Information is available on what not to do if your system is being attacked.

Indications of a System Attack

If you are concerned that your computer has been compromised, look for signs that your computer may have been hacked:

Exceptionally slow, unable to connect to network services, or simply non-functional
These symptoms may be indicative of a "denial-of-service" attack (an attack aimed at preventing you from using a certain resource.) However, from time to time MITnet is down or exceptionally slow. If you find that you are unable to connect, first check to see if other people are having the same problem. If it is isolated to your system, and you have not received an email notifying you that your drop has been turned off, then the problem may indeed be the result of a malicious hacker.
Unexplained disk activity
Be aware that some systems do disk-related cleanup while the system is idle, so this may be merely system "housekeeping."
Unusual log entries such as login failures, user additions/ deletions, or network connections to unfamiliar services.
System appears to be less responsive than expected

For more information, see:

[Back to top]

What to Do if Your System is Being Attacked

Disconnect the machine from the network. This will prevent an attacker from doing further damage to your system, and from using your system to attack others. To disconnect your machine, simply unplug the ethernet cable, or if the computer uses a wireless connection, either deconfigure the wireless card or physically pull the card out of the socket.

Note: Do NOT turn the machine off or reboot unless instructed to do so by IT Security. It is possible that processes left by an attacker may not get restarted after rebooting, which will make it more difficult for IT Security to determine the cause of your problem. Furthermore, other hacks left on the machine may take effect during reboot. Leave your computer powered on and disconnected from the network unless otherwise instructed.
Send email to security@mit.edu.
Be sure to include the machine name; operating system type and version; contact person; and any other information relating to the suspected event.
Preserve system logs and other data that might be useful in tracking the source and nature of the intrusion.
To do this, you should:
- Leave your computer alone, disconnected from the network, and wait to hear from a network security consultant. Do not reinstall your operating system or attempt to repair your computer until you receive proper notification from IT Security. Depending on the nature of your problem, an IT Security consultant may choose to visit your computer to perform an analysis.
  
  Information on your compromised machine may provide clues as to the source of the attack. By preserving your system logs and relevant data, you can help IT Security protect your computer and others on the MIT network from future attacks.
Await follow-up from IT Security.
You will receive a response from IT Security with further inquiries and instructions regarding your case. Once your system is secure, notification will be sent letting you know that it is safe to reconnect your machine to the network.

[Back to top]

What Not to Do if Your System is Being Attacked

If you believe you have been the victim of an attack, there are a number of things you should not do:

Do not launch a return attack on the suspected source system.
Incoming attacks often use forged source addresses, so that any repercussions fall to an innocent third party. Denial-of-Service attacks cause damage and inconvenience to innocent parties that share network or system resources with the actual party being attacked.

Such attacks are a violation of the MITNet Rules of Use, and it is important that you maintain "innocent victim" status.
Do not engage in a verbal/textual "flame war" with the suspected attacker.
The actual identity of the attacker is often purposefully obscured, and your response may inadvertently target an innocent third party.

Due to the possiblility of legal ramifications, attacks on MITnet hosts are a matter to be dealt with officially by experienced IT Security staff only.

[Back to top]


		Home \| Getting Started \| Getting Services \| Getting Help \| About IS&T \| Accessibility Ask a technology question or send a comment about this web page.