ImageVerifierCode 换一换
格式:PPT , 页数:40 ,大小:382KB ,
资源ID:373241      下载积分:2000 积分
快捷下载
登录下载
邮箱/手机:
温馨提示:
如需开发票,请勿充值!快捷下载时,用户名和密码都是您填写的邮箱或者手机号,方便查询和重复下载(系统自动生成)。
如填写123,账号就是123,密码也是123。
特别说明:
请自助下载,系统不会自动发送文件的哦; 如果您已付费,想二次下载,请登录后访问:我的下载记录
支付方式: 支付宝扫码支付 微信扫码支付   
注意:如需开发票,请勿充值!
验证码:   换一换

加入VIP,免费下载
 

温馨提示:由于个人手机设置不同,如果发现不能下载,请复制以下地址【http://www.mydoc123.com/d-373241.html】到电脑端继续下载(重复下载不扣费)。

已注册用户请登录:
账号:
密码:
验证码:   换一换
  忘记密码?
三方登录: 微信登录  

下载须知

1: 本站所有资源如无特殊说明,都需要本地电脑安装OFFICE2007和PDF阅读器。
2: 试题试卷类文档,如果标题没有明确说明有答案则都视为没有答案,请知晓。
3: 文件的所有权益归上传用户所有。
4. 未经权益所有人同意不得将文件中的内容挪作商业或盈利用途。
5. 本站仅提供交流平台,并不能对任何下载内容负责。
6. 下载文件中如有侵权或不适当内容,请与我们联系,我们立即纠正。
7. 本站不保证下载资源的准确性、安全性和完整性, 同时也不承担用户因使用这些下载资源对自己和他人造成任何形式的伤害或损失。

版权提示 | 免责声明

本文(The Coming Age of Defensive WormsDavid Meltzerdjm@.ppt)为本站会员(outsidejudge265)主动上传,麦多课文库仅提供信息存储空间,仅对用户上传内容的表现方式做保护处理,对上载内容本身不做任何修改或编辑。 若此文所含内容侵犯了您的版权或隐私,请立即通知麦多课文库(发送邮件至master@mydoc123.com或直接QQ联系客服),我们立即给予删除!

The Coming Age of Defensive WormsDavid Meltzerdjm@.ppt

1、The Coming Age of Defensive Worms David Meltzer CTO, Intrusec,Why?,“I dont know whether a good worm can be safe and effective, but this merits serious technical study.”- Martha Stansell-Gamm (May 26, 2003)1 Chief, Computer Crime and Intellectual Property Section, U.S. Department of Justice,What Wil

2、l You Learn?,The history of good wormsThe problems with defensive wormsHow defensive worm problems are solvedPossible evolutionary steps,The Question,Will anyone in charge of a large network ever willingly launch a worm on their own network to protect it?,Worm Reality,A new exploit just came out.You

3、 have 5,000 vulnerable systems.The worm is coming.What do you do?,The Worm Antidote,It fixes all the systems on your network.It does it faster than the worm can spread.It only infects your own systems.Do you run it?,Which Worm Do You Want?,What Will You Learn?,The history of good wormsThe problems w

4、ith defensive wormsHow defensive worm problems are solvedPossible evolutionary steps,“Good Worms”,A Worm, BUT A “beneficial” payload BUT Still Disruptive to networks Runs without permission Requires clean-up ILLEGAL,What Do “Good Worms” Do?,ScanListenExploitPatchDisinfect,Timeline of “Good Worms”,19

5、99,2000,2001,2002,2003,Case Study: Millenium2,3,Discovered 8/15/99 Written by Mixter4 Multiple Linux Vulns: Scans, Patches, BackdoorsScans for systems vulnerable to 5 remote linux holes Exploits remote system Patches 5 linux vulns Installs a backdoor Sends notification to hotmail address of infectio

6、n Installs itself on system,Case Study: Cheese5,Discovered 5/01 Unknown Author Lion Worm Response: Scans, DisinfectsScans for systems infected by Lion Installs itself using backdoor left by Lion Removes Lion backdoor from system,Case Study: Code Green6,Code Released 9/1/2001 Written by Der HexXer Co

7、de Red Response: Scans, Disinfects, Patches Scans for systems infected with CodeRed Exploits ISAPI vuln on infected systems Removes CodeRed from system Installs Q300972 Hotfix on system Installs itself on system,Case Study: CRClean7,Code Released 9/1/2001 Written by Markus Kem Code Red Response: Lis

8、tens, Disinfects, Patches Listens for CodeRed to attack it Exploits ISAPI vuln on CodeRed attackers Removes CodeRed from system Patches ISAPI vuln on system Installs itself on system,Industry Thinking on “Good Worms”,“Generally Not Well Regarded” eEye8,Industry Thinking on “Good Worms” - Continued,“

9、The idea of a patch worm is a nice thought, but it is not a solution” - CERT9,Industry Thinking on “Good Worms” - Continued,“You cannot predict whats going to happen. You dont know what the impact is going to be if its altered. Its never an alternative.” Trend Micro10,Industry Thinking on “Good Worm

10、s” - Continued,“You cannot predict whats going to happen. You dont know what the impact is going to be if its altered. Its never an alternative.” Trend Micro10,Industry Thinking on “Good Worms” - Continued,“-What about the traffic it takes up? -What about the boxes that dont patch properly, dont mak

11、e it back after reboot, or took down etrade in the middle of a trading day? -How does your worm know when its done?-Maybe I dont want my box patched, the patch broke my app -How do I tell your good worm apart from the original bad worm, or the other worm which looks like the good worm, but is really

12、 a bad worm?-How about people like us who track attack data, and you just skewed the heck out of it? When does www1.whitehouse.gov get to come back? If theres still *A* worm around on the 1st, which one is it?-Do we really want an Internet-sized game of corewars?”,Industry Thinking on “Good Worms” -

13、 Continued,“Visions of bots floating around in the ether waging mighty, but invisible, battles belong in books such as Neal Stephensons “The Diamond Age,“ not on production Internet servers.” Timothy Dyck11,Industry Thinking on “Good Worms” - Continued,“ Worms are inherently uncontrollable, meaning

14、that good worms will cause traffic problems and spread out of control. This is true of most worms today, but thats only because no one has designed a legitimate, well-coded and peer-reviewed good worm” eWeek12,/. Wisdom,“The only question raised here is, am I really going to trust this “helpful“ wor

15、m or others like it to fully patch up my box properly?”“Two wrongs may not make a right, but I would think in this case they would at least be somewhat better than just the one wrong” “Worms like this wouldnt exist or be news if more sysadmins would do their job instead of playing Quake, looking at

16、pr0n, or IRCing all day.”“Automatic (or even semi-automatic) patching is the *dumbest* idea on Earth.”,What Will You Learn?,The history of good wormsThe problems with defensive wormsHow defensive worm problems are solvedPossible evolutionary steps,Problems with Good Worms,No good worm to date has be

17、en remotely useable in a legal and effective manner.,Problem #1 - Legality,To run a worm legally, it must NEVER attempt to access unauthorized systems.Extreme safeguards must be taken. A software bug will land you in jail.,Problem #2 Network Usage,Worms are extremely noisy, causing network slowdowns

18、 and denial of services as a side-effect of running.Need to be network friendly.,Problem #3 Cleaning Up,Worms spreads leaving a new mess to clean-up replacing the old mess.Need to know when the work is done and perform its own clean-up.,Problem #4 Management,Worms are uncontrollable once “released”N

19、eed to be able to centrally manage operation and results of worm while it is running.,“Defensive Worms”,A Good Worm, BUT NOT Disruptive to networks ONLY Runs with permission NO clean-up LEGALUsable defensive worms do not exist, yet.,What Will You Learn?,The history of good wormsThe problems with def

20、ensive wormsHow defensive worm problems are solvedPossible evolutionary steps,Solution #1 Legality,Redundant Safeguards,Solution #1 Legality,Restriction Models Opt-Out Passive IP Ranges Border Routers DNS,Solution #1 Legality,Lysine Deficiency13,Solution #1 Legality,Lysine DeficiencyA built-in mecha

21、nism that causes a worm to die if it spreads beyond its intended set of targets.“Reverse Lysine” = Opt-Out (CodeRed),Solution #1 Legality,HeartbeatsA central server is checked before each time a worm launches an attack. If the server doesnt return a heartbeat, the worm pauses its operation.After a t

22、imeout period, if heartbeat hasnt returned, worm self-destructs.,Solution #1 Legality,IP RangesThe worm is configured with the IP addresses you are authorized to attack.,Solution #1 Legality,Border RoutersThe worm is configured with the border routers of a network. All systems within the network you

23、 are authorized to attack.If border router comes between a prospective target and worm, worm does not propagate to it.|If a border router isnt on the route to a known Internet server, worm is already outside its authorized network.,Solution #1 Legality,DNSThe worm is configured with domain names. Al

24、l systems with hosts that resolve within that domain you are authorized to attack.Worm performs a DNS lookup on all prospective targets. If DNS doesnt resolve to an authorized domain name, target is not authorized.,References,1. Stansell-Gamm, Martha. “Good Worms Not Mature”, May 26, 2003. URL: http

25、:/ 2. Vision, Max. “Origin and Brief Analysis of the Millennium Worm”, Sept, 1999. URL: http:/ 3. Poulsen, Kevin. “Max Vision: FBI pawn?”, May 8, 2001. URL: http:/ 4. Mixter. “mw06.tgz”, September 23, 1999. URL: http:/packetstormsecurity.nl/groups/mixter/mw06.tgz 5. Barber, Bryan. “Cheese Worm: Pros

26、 and Cons of a Friendly Worm”, July 21, 2001. URL: http:/www.sans.org/rr/papers/36/31.pdf 6. Hexxer, Der. “CodeGreen beta release”, September 1, 2001. URL: http:/ 7. Kem, Marcus. “CRClean.zip”, September 1, 2001. URL: http:/ 8. Permeh, Ryan & Coddington, Dale. “Decoding and Understanding Internet Wo

27、rms”, November 21, 2001. URL: http:/ 9. Houle, Kevin. Quoted in “Cheese worm: A Linux fixer-upper? By Robert Lemos”, May 16, 2001. URL: http:/ 10. Hartmann, Joe. Quoted in “Cheesy Fix-It Worm Patches Security Flaws By Jay Lyman”, May 18, 2001. URL: http:/ 11. Dyck, Timothy. “Thanks, but we dont want your Cheese (worm)!”, June 30, 2001. URL: http:/ 12. Rapoza, Jim. “Up With Good Worms”, April 21, 2003. URL: http:/

copyright@ 2008-2019 麦多课文库(www.mydoc123.com)网站版权所有
备案/许可证编号:苏ICP备17064731号-1