Research On The Techniques Of Network Attack And Defense Based On Rootkit In Linux

Along with the rapid development of computer network, the information security day by day becomes one of society's major issues.A so-called the good is strong, but the evil is ten times stronger, attacks with defenses against forever is the permanent invariable subject in the information security domain.Can understand thoroughly how the hacker does launch the attack motion, regarding implements the information security safeguard to have the very good model significance well. As a powerful tool for attacking Linux, Rootkit has already invaded in PC thoroughly, from the operating system kernel to the hardware, each generation of Rootkit all penetrated continuously into system deeper, its popular speed and the high-level degree were growing rapidly. This article mainly has carried on the exhaustive analysis and the research to its attack and the defense technology, and based on to the Rootkit invasion information capture and the analysis, has realized a honeynet defense system, enhanced the network system defense performance.This article from the Rootkit origin, the function and the harm mentioned, introduced some elementary knowledge about the Linux system and the Rootkit, the principle and the framework of data and so on, including: The system call mechanics, loadable the module mechanics, the essence directory and EXT2/3 file system.In explains separately after the user mode and the kernel mode Rootkit realization principle, mainly has carried on the analysis and the explanation to each kind of attack technology based on the kernel mode Rootkit.First introduced the most popular may loadable kernel module (LKM) technology, elaborated in detail to the sys_call attack method; Also in the situation without LKM the dev/kmem revision has carried on the discussion; Then in the question which on the solution to restart system elaborated the means by revising the kernel reflection on the hard disk, in which explains with examples;Being the importance which kernel module to Rootkit, has analyzed the module hideaway, and proposed some methods; Also discussed the realization process to hide the ext2/3 document both with the system call hideaway and the physical hideaway method; Then mentioned deeper BIOS-level Rootkit, discussed some methods which it possibly realizes.After has analyzed the Rootkit attack method, proposed the Rootkit defense mainly from the prevention, detect and measure three aspects, concluded and compared with several kind of detection technologies, proposed some improvements in the original foundation.But in order to understood well Rootkit attack method, obtains the related characteristic and the data message of each kind of Rootkit, we propose the method to catch and detect Rootkit using the honeynet system, has carried on the explanation to the honeynet system construction and the realization, has completed the analysis and the localization to one kind of Rootkit which catched in this honeynet system.Finally is the full paper summary and the forecast.