The intranet invasion examination system (hereafter refers to as “the IDS system”) to be able to discover in some intranets the network virus, the system crack, exceptionally to attack and so on promptly the high risk event and carries on effective handling, thus strengthened the intranet security, has safeguarded each important operational channel's normal operation powerfully. To strengthen the intranet management, the full display earnestly “the IDS system” the function, below author acts according to monitors the high risk event to analyze the question, to propose the countermeasure safely, by for everybody reference.
Event 1 Windows 2000/XP RPC serves long-distance refuses to serve the attack
The crack exists in Windows system's DCE-RPC storehouse realizes, the long-distance aggressor may connect the TCP 135 ports, the transmission abnormal data, may cause to close the RPC service, closes the RPC service to be possible to cause the system halt to carry on the response to the new RPC request, produces refuses to serve.
[countermeasure]
1st, temporary processing method: Uses the firewall or Windows the system bringing TCP/IP filtration mechanism carries on the limit for the TCP 135 ports, exterior the limit cannot trust main engine's connection.
2nd, thorough settlement means: Has the security patch.
Under event 2 Windows systems MSBLAST (shock-wave) worm dissemination
The infection worm's computer attempts to scan in the infection network other main engines, consumes main engine's resources and the massive network band width, causes the network visit ability to drop suddenly.
[countermeasure]
1st, after downloading the patch, separates the network connections to install the patch again.
2nd, elimination worm virus.
Under event 3 Windows systems Sasser (shake wave) worm dissemination
The worm attack will leave behind the back door on the system and possibly causes Win the 2000/XP operating system to restart, when worm dissemination possibly will cause to infect the main engine system performance serious drop as well as is infected the network band width to take massively.
[countermeasure]
1st, first separates the computer network.
2nd, then with kills tool Zha Shadu specially.
3rd, finally has the system patch.
Event 4 TELNET service violence guess user password
The TELNET service is the common remote login simulation service, the user may use the TELNET remote login system, the execution orders willfully. This event is the gain jurisdiction class attack. The aggressor is possibly attempting the guess effective TELNET service user name and the password, if succeeds, the aggressor may register the system to carry out each kind of order even completely control system.
[countermeasure]
Pays attention the further activity which closely the attack originates, if thought that has the necessity to block it visit to server's connection.
Event 5 TELNET service user authentication defeat
The TELNET service often is the aggressor invades one of system's channels. In majority situations, validated user, in TELNET will register in the process to authenticate successfully. If presents the user name or the password invalid and so on situations, the TELNET server can cause the authentication defeat. If registers the user named super user, then should bring to the attention, the inspection visit originates whether legitimately. If in the short time presents the TELNET authentication defeat to respond massively, then explained that the main engine is possibly suffering the violence guess attack.
Other pages: : 1 * 2 * 3 * Next>>
|
You are here: hacking technology
> invades the examination
> Content
Category: Home
> invades the examination