Each worm's eruption can bring massive loss to the society. On September 18, 2001, the Nimda worm was discovered, creates the loss appraisal data to Nimda to climb from 500 million US dollars after 2.6 billion US dollars, continues to climb, has been unable to the present to estimate 70-222. At present the worm erupts the frequency is more and more quick, in the recent two years, more and more many worms (for example shock wave, vibration wave and so on) appears in particular. Conducts the thorough research to the worm, and proposed one kind of effective solution, provides a safe network environment for the 70-222 enterpriseandthe government to become our pending issue.
Any is the 70-222 worm
The Internet worm is does not need the independent procedure which the computer user intervenes thenmoves, it through does not stop obtainsinthe network to have the loophole on the computer to be partial or the complete domination carries on the dissemination.
The worm and the virus most greatly differently lie in it not to need the artificial intervention, also can the independent unceasingly duplication and the dissemination. The 70-222 wormprocedurework flow may divide into the loophole to scan, the attack, the infection, the scene processes four stages. After the wormprocedurescans has the loopholethe computer system, migrates the worm main body to the goal main engine. Then, the wormprocedureenters the system whichinfects, carries on scene processing to the goal main engine. The scene processing partial work include: Hideaway, information collection and so on. The different worm adopts the IP production strategy certainly is not possibly same, even stochastically produces. Each step numerous Jan degree also different, some extremely complex, some then is extremely simple.
Worm's behavior characteristic includes:
Self- reproduction:
Usesoftwareloophole:
Creates the 70-222 networkjam:
Dissipation systemresources:
Leaves behind the security hidden danger:
Worm's work way induction as follows: Stochastically produces a IP address; The judgement corresponds this IP address the machine whether can infect; If may infect, then infects it; Duplicates 1 ~ 3 altogether m, m is the reproduction transcription quantity which the worm produces.
How examines the worm
May know by the above analysis, discovered as soon as possible the worm and to infects worm's main engine to carry on the isolation and the restoration, is prevented the worm is in flood, causes the heavy losses the key.
At present the domestic certainly not special worm examination andthe defense system, the traditional main engine anti-virussystemcertainly cannot carry on the examination to the unknown worm, only can passively to the characteristic worm which discovered carry on the examination. Moreover in the present market invasion examinationproduct, to worm's examination also mostly is based on the characteristic, therefore we use the exceptionally examination function which ids provides, through discoverynetworkin unusual, comes to worm's infection to carry on the control. Although some afterwards Zhuge's suspicion, but so long as discovers promptly, or can greatly reduce the loss which the worm creates.
In to the unknown worm's examination aspect, the invasion examination in connects in the unusual analysis foundation to the current capacity unusual statistical analysis and to tcp, also has used the method which exceptionally analyzes to the ICMP data, may comprehensivelyexaminein the network unknown worm. This kind ofnetworkworm's examinationtechnologyis Bob Gray, specifically realizes the process is: When a main engine does not exist to when the main engine initiates the connection, the middle router can produce ICMP-T3 (goal not to be possible to reach) the package to return for the worm the main engine.
This method may examine high speed has, the large-scale infection modelnetworkworm. (Is very difficult to examine in view of somenetworkdissemination specific worm and the slow dissemination worm. These two kind of worms, may think saidtothe entire network, their harm quite is small).
Omni-directional worm preventing and controlling strategy
When the worm is discovered, must carry on the response in the as far as possible short time to it. First produces reports to the police, the noticemanagement, and through the firewall, the router, or the HIDS interaction infected worm's main engine isolation; Then carries on the analysis to the worm, further formulates the examination strategy, the security hidden dangerdoes not carry onpatching as soon as possible to the overall system existence, prevented the worm infects once more, and to infected worm's main engine to carry on worm's deletion work.
Regarding when infected worm's main engine, its preventing and controlling strategy is such:
1. With firewall interaction: Through controls the firewall the strategy, visit to infects the main engine the foreign data to carry on the control, prevented the worm foreign net the main engine carries on the infection.
2. Switchboard linkage: Carries on the linkage through the SNMP agreement, when in discovered when webmaster machine by worm infection, may shut off infects the main engine with in net other main engines communications, prevented infects the main engine the net wantonly dissemination.
3. Informs HIDS (based on main engine invasion monitor): Is loaded with HIDS the serverto receive the information whichthe monitor system transmits, may carry on visit to suspicious main engine blocks, like this may prevent the main engine visit server which infects, causes onthe server the important resources to exempt is damaged.
4. Reports to the police: Produces reports to the police, the noticenetwork management, carries on the analysis after the worm, may through dispose Scaner to come tothe networkto carry on the loophole to scan, the notice existence loophole carries on the loophole main engine tothe Patchserver downloading patch to repair, the preventing and controlling worm further disseminates.
No comments:
Post a Comment