Cisco switch Security Lecture Hall: cracking the shock wave virus and red code

Cisco switch Security Lecture Hall: cracking the shock wave virus and the red code, understanding the basic virus principles, and providing a good awareness of cisco switch security. Simple security measures will also receive attention. In today's online world, security is crucial.

As the Internet has brought huge benefits to people's lives, people are gradually suffering from network viruses, network instability and network paralysis. There are many types of viruses. According to the media of the virus, viruses can be classified into network viruses, file viruses, and Boot viruses. File viruses and Boot viruses generally do not affect network operations, but they may cause damage or loss of users' computer file systems.

However, for a network-type virus, the computer in the network is infected through the network, so that the network cannot be used normally. Generally, it will not cause damage to computer users, and users will not feel computer viruses, I just feel that the Internet is abnormal or paralyzed, and this network exception is often misunderstood by users as a physical network quality problem, so many complaints are inevitable, such as the recently raging Shock Wave virus.

When the network virus is raging, our network system maintenance personnel should be the most pitiful. They become the user's outputer. Every day, they can't do anything in the face of complaints and repeated complaints from users, this type of grievance is hard to argue about, because it is very difficult to identify who's machine poisoning.

Each complaint user can only be told to kill the virus on his own. However, the host complained to the user is not necessarily a poisoned host. At the same time, many users on the resident network have little knowledge about the network, this interpretation is intolerable for angry users and is generally considered a manifestation of shirking responsibility and incompetence. Let's take a look at the two most common network viruses:

Cisco switch security: familiar with shock wave Virus

Shock Wave virus Wrom. MSBlast.6176, formerly known as a brute-force cracking Engineer) since it was first intercepted by rising's Global Anti-Virus monitoring network in August 12, it has already caused a wide range of impact in China. Although all major anti-virus software companies have released specialized upgrade packages, however, there are still many users whose computers are relatively negligent in preventing attacks.

The virus is still spreading at an hourly rate of 30 thousand systems. The virus is expected to cause a global economic loss of $1.2 billion. When the virus runs, it constantly uses IP scanning technology to search for computers with Win2K or XP operating systems on the network. After finding the virus, it uses the dcom rpc buffer vulnerability to attack the system. Once the attack succeeds, the virus is transmitted to the computer of the other party for infection, causing system operation exceptions.

The details are as follows: the RPC service termination dialog box is displayed, the system restarts repeatedly, the system cannot send and receive emails, the file cannot be copied normally, the webpage cannot be browsed normally, and the copy and paste operations are severely affected, the DNS and IIS services were denied, and the entire network system was almost paralyzed. In addition, the virus will launch a Denial-of-Service attack on a Microsoft upgraded website, resulting in the website being blocked, making it impossible for users to upgrade the system through the website.

It can be seen that the virus is quickly spread by exploiting the remote RPC process call vulnerability of Microsoft operating system. RPC is an Internet remote service protocol invented by Microsoft. It is an application built on TCP/IP. We know that the application protocol on the IP network must use the TCP/UDP port number to provide services. The rpc tcp port number is 135.

Please remember this port number, because the 135 vulnerability caused a global economic loss of $1.2 billion! Attackers seek to exploit this vulnerability through programming and communicate with vulnerable servers on a computer that can use TCP port 135, send an RPC message of a specific type or format error.

Receiving such messages may cause problems with the RPC service on vulnerable computers, and thus arbitrary code execution. Then the virus will modify the registry, intercept the EMAIL address information, and destroy the local machine while spreading it over the Internet by EMAIL. At the same time, the virus will create cmd.exe in the tcpport 444444and listen to UDP port 69. When there is a service request, the msblast.exe file will be sent.

Cisco switch security: Revealing the red code

Red Code) is a worm that is infected with a system running Microsoft Index Server 2.0, or the Indexing Service is enabled in Windows 2000 and IIS. The worm uses a buffer overflow vulnerability to spread the unlimitedly-enforced Index Server ISAPI Extension buffer to make the WEB Server Insecure ).

Worms spread through the TCP/IP protocol and port 80. by exploiting the above vulnerability, worms directly send themselves as a TCP/IP stream to the buffer zone of the infected system, and the worms scan the WEB in sequence, to infect other systems. Once the current system is infected, the worm detects the existence of c: \ notworm in the hard disk. If the file exists, the worm stops infecting other hosts. Unlike other viruses, Code Red does not write virus information to the hard disk of the attacked server.

It only resides in the memory of the attacked server and uses the network connection of this server to attack other servers. The Code Red worm can spread quickly and cause a wide range of network access speeds to decline or even block. The damage caused by the "red code" worm is mainly caused by modifying the webpage and attacking other servers on the network. The attacked server can continue to attack other servers.

XINGNET's smart security layer-3 Switch's anti-virus function can completely address users' concerns about the security of these viruses. On the other hand, network firewalls are generally deployed at the egress of the Intranet. They are used for external network intrusion protection and have limited control over internal networks, especially for legal attackers of internal networks, these technologies are often helpless.

It makes no sense to protect a network that is congested by viruses. Currently, many passive defense technologies are difficult to effectively solve internal network security problems. For example, firewalls have weak anti-lookup capabilities. They only record the security activity status of cisco switches.

As a recent smart access point for users, layer-3 switches go deeper into the network base layer than firewalls. In this layer, network control is easier, more effective, and more cost-effective. In the event of civil chaos, it can effectively control the scope of impact and accurately locate the sources of chaos.

Therefore, the XINGNET Smart Security Layer-3 switch does not simply implement virus blocking by configuring the access control list ACL of the switch, but is capable of discovering and tracing the virus source, the system can accurately detect infected computers and take appropriate measures to find out the virus source and provide the virus source list logs.

Like a firewall, as long as the network administrator configures a Security Protection Policy on the switch, virus attacks will be killed in the cradle and cannot form an attack frenzy. Network Maintenance Personnel no longer need to suffer from such great injustice, and can rest assured.

Cisco switch security also provides packet header parsing capabilities. It can analyze the characteristics of each data packet. Once a packet with a rule virus feature is found, it is immediately blocked and the virus source is recorded, and dynamically blocks the time specified by the virus source. A virus prevention policy can block viruses based on user-configured virus parameters.

The policy for temporarily blocking the host sending viruses can be divided into two types: Basic Policy and super policy. The basic policy is to prevent packets carried in TCP/UDP mode. Most virus data packets are in this mode. The super policy can control virus packets that do not have the characteristics of TCP/UDP.