Next Previous Contents

2. LIDS prevent worm spreading

2.1 What is LIDS

LIDS is kernel patch to enhance the kernel security released under GPL. LIDS for kernel 2.5 use the LSM(Linux Security Modules)[4] framework and extend it to make it work with NETFILTER to make the network control more granulated. Since LIDS naturally have the capability to inheritance, so any restriction on the process will also restriction it on its children. In next sections, we will only say "process", but that will means "process and its children".

LIDS provides two ways to deal with this situation according to difference application's behaviors.

2.2 Socket Restriction

LIDS provide a way to control network access on a specific application. These controls include socket create, connect, shutdown, socket bind, accept. In this way, we can disable the application's socket create, in that way, a worm will not have the ability to connect outside. This way apply to application which do not need to connect outside, like HTTP, FTP in passive mode. If we apply this restriction to apache, we can avoid the apache ssl worm.


Any network connection thought TCP/IP network must associate with a socket, this is the first step to do any network activity. LIDS provide 3 ways restrict the socket creation.

LIDS_SOCKET_CREATE, when disable in a process, this will disable all the new network operation, like new connection, new bind within the process, but will not prevent the connection from outside to the process. This is very useful when one process do not do bind to a new port or make a new connection in its normal operation stage.

For example, if service A will not do any connection or bind to new port, so you can just simply disable the LIDS_SOCKET_CREATE. That will help you prevent a worm spreading outside thought a new connection or the worm trying to bind a port to install a backdoor.

In the real world,Apache SSL slapper worm attack, the worm will try to install a backdoor listen on a special port and then connect outside to propagate itself. If we disable the capability of the socket connection, the backdoor installation and worm propagation will be stop.

LIDS_SOCKET_CREATE_TCP, when disable, will disable the socket operation for TCP only.

LIDS_SOCKET_CREATE_UDP, when disable, will disable the socket operation for UDP only.

LIDS_SOCKET_CONNECT - Socket Connection

When a new connection is establish, it will do the socket connection first, so if we disable this capability, we will disable any new connection from the process.


When an application try to listen on a port to service the remote client, it will first do a socket bind first, so if we disable this capability, we will disable any operation trying to bind to a special port. This is very helpful to stop backdoor installation.

2.3 Packet label and Netfilter control

Some application need to connect outside, for example DNS, SMTP, TELNET, SSH or even HTTP sometimes need try to resolve hostname from remote DNS server. In this case, we can not simply just disable the socket or disable all the connections which may stop some valid connections.

NETFILTER[3] provide a very good method to control packet via the mangle table. In mangle table, a hook in the NETFILTER can alter the packet and also take actions based on the packet's special value. It has the capability to label a packet with a value and also match a packet with the special value and then take an action on it. Netfilter also provide a PID, UID and GID or session based match. Using the netfilter, one can also implement a very similar function as what LIDS do, but it also need some dynamic rules to support it.

LIDS provide a way to label all the packets coming out from a process and its children with a value and then you can use NETFILTER to control it. For example, you can label all the packets generated by DNS to 6, and then use NETFILTER to restrict the marked packet as 6, in this way, you have the total control over all the packets generated by DNS and its children. Say if just want it to connect to an DNS server outside, you can simply use iptables to write a rules for it. For Telnet, SSH, you can use this to restrict the users of ssh/telnet can only access some side outside.

Since all the restrict is on an application and its children, so if the worm get a shell and run command, the shell and the commands will also under the restriction.

Next Previous Contents