Campus Network Design Fundamentals

Not a week goes by without news of another network attack. CERT, a U.S. federally funded center coordinating communication during security emergencies, estimated that security breaches in the United States totaled 153,000 in 2003, almost double that of the prior year and more than a sevenfold increase in three years.

Virsus, Worms, and Trojan Horses

A virus is a program that triggers a damaging outcome. Viruses often disguise themselves as executables with clever filenames like "You won." A virus requires a human action, such as opening an e-mail attachment, to be activated.

A worm is a virus that can self-duplicate. A worm might have the capability of scanning the network and infecting neighboring workstations.

A Trojan horse pretends to be an inoffensive application when in fact it might contain a destructive payload. An example of a Trojan horse could be an attachment that, after being opened, shows a picture of a cute puppy, but in the background, the code is reading the e-mail addresses of the user's address book and forwarding those addresses to a hacker's repository for future spam use. Trojan horses are not considered viruses because they don't reproduce themselves.

When dealing with network security, one trend is certain: Attacks are becoming more complex. Blaster and SoBig.F, which we explain in the following sidebar, are examples of those complex threats called combo malware. Malware is a generic term that describes malicious software such as viruses and Trojan horses. Combo malware are hybrid menaces that combine destructive components of different threats. For example, a worm that carries a viral payload would be called combo malware.

Infamous AttacksA Short List

Code Red

Date: July 2001

Characteristics: Worm that infected Microsoft Internet Information Servers (IISs) and defaced web pages of infected servers with the message "HELLO! Welcome to http://www.worm.com! Hacked By Chinese!" The worm continued spreading and infected more IISs on the Internet. After about 20 days following the infection of a server, the worm launched a denial of service (DoS) attack on several fixed IP addresses, among which was the White House address. We explain DoS in detail in the section "Denial of Service Attacks," later in this chapter.

I Love You

Date: May 2000

Characteristics: Often called a virus, this attack's behavior is more related to being a worm, considering how it spread. When a user opened an infected e-mail attachment, that user's system was infected, and it replicated itself to everyone in the user's address book.

Melissa

Date: 1999

Characteristics: Virus that spread inside Microsoft Word macros.

Nimda

Date: September 2001

Characteristics: Worm that infected Microsoft IISs and any computer on which the e-mail attachment was opened. Nimda's payload is a "traffic slowdown," but it doesn't destroy or cause harm other than creating delays.

Slammer

Date: January 2003

Characteristics: Sent traffic to randomly generated IP addresses, hoping to find a host that runs the Microsoft SQL Server Resolution Service so that the target can propagate more copies of the worm.

Blaster

Date: August 2003

Characteristics: The worm was programmed to start a SYN flood attack on August 15 against port 80 of http://www.windowsupdate.com, thereby creating a DoS attack against the site. SYN floods and DoS are explained in the section "Denial of Service Attacks," later in the chapter.

SoBig.F

Date: August 2003

Characteristics: A worm that set a record for the sheer volume of e-mails it generated. It was also a Trojan horse because it masqueraded as an innocuous e-mail with a subject line such as "RE: Details" and with an attachment with a filename such as details.pif.

Категории