Hi Randy, We implemented the 2nd approach. The 1st approach you referred didn't worked out, because even after we issued the service-policy command on the interface, the policy-map didn't get associated with it. Probably a minor IOS problem/bug, but in this case, I think the 2nd approach is better in terms of cpu consumption. Replying to your 2nd question, we have the logs before and after the implementation of NBAR. About this situatin, please keep in mind that we also have an extended ACL on the serial interface (a 256Kb frame-relay link) blocking almost everything except www (and some other services) for our web servers. Nonetheless, today we had some 400 hits or so directly on the web servers, and as we could see in the log files, the data of the packets were Code Red I and Code Red II fingerprints, but after the policy configuration, we are only getting HTTP 408 logs, nothing else :-) we're currently monitoring the log files of the web servers and our Internet router, and fortunatelly, it appears that the effects of the worm are getting dumped big time :-) Show proc before NBAR: CPU utilization for five seconds: 0%/0%; one minute: 0%; five minutes: 0% Show proc after NBAR and CEF: CPU utilization for five seconds: 6%/3%; one minute: 4%; five minutes: 3% So, there's no big incrementation of the percentage of cpu consumption, but we'll keep an eye on it. Very best regards, Nelson Bruno S. Neves ------------------------------------------------------------------------ Systems Engineer Cisco Certified Network Professional, Security, Voice and ATM Specialist Convex Portugal Taguspark - Edificio Ciencia II, Nr.2, Piso 2 2780-920 Porto Salvo - Portugal Telefone: ++351 21 4229200 Fax: ++351 21 4223787 www: http://convex.pt e-mail: nnevesat_private ICQ# 86937816 ------------------------------------------------------------------------ ----- Original Message ----- From: "Randy Benn" <rbennat_private> Date: Wednesday, August 8, 2001 4:00 am Subject: Re: New Method for Blocking Code Red and Similar Exploits > Antonio, > > Thanks for the feedback. I've included a note about the need to > turn on CEF > in the latest version of the advisory. Already had it on in my > router for > NBAR protocol discovery, so I forgot to add it to the sample configs. > > Also, thanks for the tip on the IOS versions. I've got minimum > versionslisted, perhaps I'll add a note about deferred releases, > but that's a whole > different ball game altogether. > > A couple more questions for you: > > 1) Did you implement the filtering (approach #1) or policing > (approach #2) > solution? > > 2) Do you have any befor > Thanks, > > Randy > > > ----- Original Message ----- > From: "Antonio Vasconcelos" <vascoat_private> > To: "Randall S. Benn" <rbennat_private> > Cc: <incidentsat_private>; <nnevesat_private> > Sent: Tuesday, August 07, 2001 10:46 PM > Subject: Re: New Method for Blocking Code Red and Similar Exploits > > > > Hi Randy, > > > > We are currently trying the solution (it's 3.30 am here in PT) you > provided > > and we're happy to say that it works perfectly. The URL that > comes with > the > > Code Red is dropped without any questions asked and the log > shows a 408 > > reply (Request Timed Out, according to the HTTP RFC) on the web > serverlog, > > keeping the content out. You can check out the output from the > log below. > > > > Before implementing NBAR: > > > > 194.x.x.x- - [0> > /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX> > XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXX > XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX > > > XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX% u9090%u68 > 58%ucbd3%u7801%u9090%u6858%ucbd3%u7 > > > 801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b% u53ff% > u0078%u0000%u00=a > > HTTP/1.0" 404 889 > > > > > > After implementing NBAR: > > > > 194.x.x.x- - [0> > > So it's ok to go ahead and spread the word ;-) just one thing > ... you > > forgot to mention that IP Cef has to be configured for the > policy map to > > work, like this: > > > > Router(config)#ip cef > > Router(config)#int s0/0 > > Router(config-if)#ip route-cache cef > > > > It's a bit hard on the processor, but we can't make omelets without > > breaking some eggs :-). Last, but not least, IOS version > 12.1(5)T is > > deferred, so we'd recommend using version 12.1(5)T9 instead. > It's tested > > and working on a 2600 platform. > > > > Thanks for the tip and best regards, > > Antonio Vasconcelos & Nelson Neves > > > > At 18:31 2001.08.07 -0400, Randall S. Benn wrote: > > >A new method for blocking Code Red and similar exploits that > use HTTP GET > > >requests has been published. The method uses new capabilities > within> >Cisco IOS software. Read the on-line advisory at: > > > > > >http://iponeverything.net/CodeRed.html > > > > > >The beauty of this solution is that it can be used to block > Code Red > > >infections today and can be easily modified with new signatures > in the > > >future using the HTTP sub-port classification mechanism in IOS. > > > > > >Randy > > > > > > > > > >------------------------------------------------------------------ > --------- > - > > >This list is provided by the SecurityFocus ARIS analyzer service. > > >For more information on this free incident handling, management > > >and tracking system please see: http: > > > > > > ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Aug 08 2001 - 11:00:31 PDT