Virus protection and implementing virus protection typically fall within the realm of the server/desktop administrator. Indeed, in large environments, if you are responsible for the network infrastructure, you may never be involved in any virus-protection discussions. Unfortunately, today s worms and viruses are having a larger impact on the network infrastructure, which means you need to become concerned with the status of virus protection on your network. In addition, you can install virus-protection gateway devices and virus-protection applications in conjunction with your existing firewalls and gateways to prevent viruses from entering your network. You should be involved in advocating these systems being implemented.
The methods that many of the worms use to self-replicate (for example, by scanning an entire subnet and attempting to connect to every IP address on that subnet) have the uncanny ability to result in a denial of service (DoS) on many routers. The reason for this is pretty straightforward. When a router receives a packet destined for a subnet that it is directly connected to, the router will generate an ARP request for the destination MAC address. In the case of these worms, often the destination is not online, but the router has no way of knowing this and issues the ARP request anyway. The router then must wait for a response, or wait for the ARP request to time out before it can drop the packet in question. As the router gets hit with thousands of these requests , it fills its buffers and input/output queues with these packets waiting for the timeout periods to occur. Often this consumes the entire free RAM on a router. The end result is that the router starts dropping legitimate traffic because it cannot queue the traffic, and/or the router will no longer accept VTY sessions because it does not have enough free RAM to house those sessions. Both of these circumstances result in a DoS against the router. In fact, when you think about it, the way that these worms work is a great example of just how effective a distributed denial of service (DDoS) attack can be.
I know of a number of companies that have invested heavily in virus protection for their Windows-based systems but run no virus protection on their Unix and Linux systems. As Linux, in particular, continues to gain market share, it is only a matter of time before more Linux-based viruses are written and distributed. Do not overlook the risk of not protecting your Unix/Linux systems. Viruses are not uniquely a Windows problem.
If you are not running virus protection on all your systems ”Windows, Unix, Linux, and Macintosh based ”you need to be.
Don t forget your gateway virus protection when talking about implementing virus protection on all your systems. This allows you to catch and stop a significant amount of viruses attempting to enter your network at your network ingress points. TrendMicro, Network Associates, and Symantec all have gateway virus protection you can implement. Don t overlook the value of implementing virus protection on your gateways and firewalls.
The only way to effectively prevent your network from being susceptible to virus- and worm-based DDoS attacks is to keep the systems that propagate the worms from being infected in the first place and to attempt to prevent the viruses from entering your network to begin with.