Comment how about helping isps stop worms? (Score 1) 142
i haven't read this book, so i dont know if it covers this: if i'm an
isp, can i stop worms for the benefit of my subscribers?
it seems like all the big time worms look the same to the network, cause each one uses the same vulnerability over and over. that means that the packets hit the same port, so you could just look at the port number in the header.
not only that, but so far worms aren't self-modifying (does that mean they're reentrant or non-reentrant? i always get that mixed up). that means that you could just write some code to watch for the same data packets by generating something that a standard intrusion detection system can read. that probably means you'd have to hash the packet's data in some smart way.
most of the worms so far also have gone from lots of infected hosts to lots of other hosts. so if you see packets that all look the same and are going to everywhere from everywhere, it's probably a worm. not for sure, but almost for sure. and then, if you want to stop worms that hit microsoft iis or things like that, they're probably just x86 assembly code, so you could look for assembly code, etc..
once you're pretty sure you have a worm on your hands, you could just filter them all out. (yeah yeah, so you'd have to be pretty sure it's worms you're filtering, but when a worm's loose, the net's going to suck anway).
i think this'd work darn well. it might end up missing some worms, but why not do this as a first step? am i missing something, or has this already been done? or if nobody's done it, i think someone should!
it seems like all the big time worms look the same to the network, cause each one uses the same vulnerability over and over. that means that the packets hit the same port, so you could just look at the port number in the header.
not only that, but so far worms aren't self-modifying (does that mean they're reentrant or non-reentrant? i always get that mixed up). that means that you could just write some code to watch for the same data packets by generating something that a standard intrusion detection system can read. that probably means you'd have to hash the packet's data in some smart way.
most of the worms so far also have gone from lots of infected hosts to lots of other hosts. so if you see packets that all look the same and are going to everywhere from everywhere, it's probably a worm. not for sure, but almost for sure. and then, if you want to stop worms that hit microsoft iis or things like that, they're probably just x86 assembly code, so you could look for assembly code, etc..
once you're pretty sure you have a worm on your hands, you could just filter them all out. (yeah yeah, so you'd have to be pretty sure it's worms you're filtering, but when a worm's loose, the net's going to suck anway).
i think this'd work darn well. it might end up missing some worms, but why not do this as a first step? am i missing something, or has this already been done? or if nobody's done it, i think someone should!
