TMS zl Management and Configuration Guide ST.1.2.100916

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module

491

492

493

494

495

496

497

498

499

500

6-12

Intrusion Detection and Prevention

IDS/IPS Concepts

In many DoS attack cases, the only way to regain occupied network resources

is to trace the source of the attack and stop the triggers. Finding the source

of a straightforward SYN flood can be somewhat difficult, but not impossible.

However, the new, sophisticated techniques of distributed and reflected DoS

attacks allow an attacker to better disguise the attack source.

Backdoors

Rootkits are often disguised as attachments to emails or files on the internet

or by Trojan horses. When the victim of the rootkit attack clicks the link or

downloads the file or program, a backdoor is installed. These backdoors can

be exploited by attackers to gain access to a network. Some examples of

backdoor attacks are:

■ NetBus

A backdoor program that is installed on any client computer and grants

unfettered remote access to anybody who knows the listening port num-

ber and password. Attackers can use the affected computer to execute

commands, start silent services, share directories, upload and download

files, and many other operations that can be used to access sensitive

information or cause a denial of service. Though initially designed as a

program to carry out pranks, NetBus has been used to carry out serious

attacks, the most famous of which is the 1999 attack on Magnus Erikkson,

a law student at Lund University, in which illegal files were uploaded onto

his computer from an unidentified location.

■ Sobig

This is a worm that initially infects host computers when users download

the attachment of an unsolicited email from a spoofed address. The worm

replicates itself using its own SMTP engine; then it searches the host

computer for email addresses. Sobig then installs a backdoor so that it

can perpetuate itself and allow spammers to send emails from the infected

machines.

■ SubSeven (or Sub7)

SubSeven began as a benign backdoor program that was used to carry out

pranks and cause mischief, such as hiding the cursor. However, like

NetBus, Sub7 graduated into a program widely used by hackers. Sub7 also

has the same features as NetBus, with a few more such as webcam

capture, multiple port redirect, and user-friendly registry editor.