Re: New Method for Blocking Code Red and Similar Exploits

From: Antonio Vasconcelos (vascoat_private)
Date: Tue Aug 07 2001 - 19:46:55 PDT

Next message: Jean-Francois Prieur: "Code Red affects patched IIS4 servers with URL redirection"

Previous message: Tony Langdon: "RE: UDP scans from CodeRed-infected hosts"
In reply to: Randall S. Benn: "New Method for Blocking Code Red and Similar Exploits"
Next in thread: Mike Batchelor: "RE: New Method for Blocking Code Red and Similar Exploits"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi Randy,

We are currently trying the solution (it's 3.30 am here in PT) you provided 
and we're happy to say that it works perfectly. The URL that comes with the 
Code Red is dropped without any questions asked and the log shows a 408 
reply (Request Timed Out, according to the HTTP RFC) on the web server log, 
keeping the content out. You can check out the output from the log below.

Before implementing NBAR:

194.x.x.x- - [08/Aug/2001:03:13:31 +0000] "GET 
/default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7
801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a 
HTTP/1.0" 404 889

After implementing NBAR:

194.x.x.x- - [08/Aug/2001:03:34:17 +0000] "-" 408 -

So it's ok to go ahead and spread the word ;-) just one thing ... you 
forgot to mention that IP Cef has to be configured for the policy map to 
work, like this:

Router(config)#ip cef
Router(config)#int s0/0
Router(config-if)#ip route-cache cef

It's a bit hard on the processor, but we can't make omelets without 
breaking some eggs :-). Last, but not least, IOS version 12.1(5)T is 
deferred, so we'd recommend using version 12.1(5)T9 instead. It's tested 
and working on a 2600 platform.

Thanks for the tip and best regards,
Antonio Vasconcelos & Nelson Neves

At 18:31 2001.08.07 -0400, Randall S. Benn wrote:
>A new method for blocking Code Red and similar exploits that use HTTP GET 
>requests has been published.  The method uses new capabilities within 
>Cisco IOS software.  Read the on-line advisory at:
>
>http://iponeverything.net/CodeRed.html
>
>The beauty of this solution is that it can be used to block Code Red 
>infections today and can be easily modified with new signatures in the 
>future using the HTTP sub-port classification mechanism in IOS.
>
>Randy
>
>
>----------------------------------------------------------------------------
>This list is provided by the SecurityFocus ARIS analyzer service.
>For more information on this free incident handling, management
>and tracking system please see: http://aris.securityfocus.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Jean-Francois Prieur: "Code Red affects patched IIS4 servers with URL redirection"
Previous message: Tony Langdon: "RE: UDP scans from CodeRed-infected hosts"
In reply to: Randall S. Benn: "New Method for Blocking Code Red and Similar Exploits"
Next in thread: Mike Batchelor: "RE: New Method for Blocking Code Red and Similar Exploits"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Aug 08 2001 - 11:50:15 PDT