On Wednesday, August 08, 2001 11:31 PM, Mark Lewis wrote: > While poking around in my logs following Code Red I started noticing that > there were no entries indicating any attempts. Not fully believing this I > went ahead and got Snort back up and running and waited 10 min and I already > had 17 hits. After thinking a bit I came to the conclusion that the cause > for this is host headers. Now, how this applies to future vulnerabilities is > this: most of these script based attacks generate random IPs, so if you use > host headers even if only one site is present it would require a name to > tell the web server which dir to send the request to. Not sure how effective > this would be against Unicode type exploits, but I feel it would have helped > with CR. Should be able to accomplish the same thing with Apache too..... > Any thoughts or experiences? Mark, Using host headers on IIS servers will likely protect you from more than 90% of the attacks that are currently circulating, as most of them rely on scanning and exploitation via http://yourIPaddress. This is particularly true for Code Red v1 and v2, the sadmind/IIS worm, the new Code Red II worm and the common scripted scans for decoding vulnerabilities. However, you should take the following into consideration: 1) It won't protect you from people who use search engines to find potentially vulnerable servers and attackers who have targeted your server; 2) You should not allow this additional layer of protection to lull you into a false sense of security - secure configuration of IIS including removal of unused server extension mappings and default virtual directories and application of current patches is still needed; and 3) Your server will no longer log any of the scans and attempts that use the IP address. In the absence of IDS, web server access logs are a useful tool for knowing what is out there and what is trying to get into your server. Michael Katz mikeat_private Responsible Solutions, Ltd. ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Fri Aug 10 2001 - 07:38:04 PDT