RE: code red attacks and real-time blackhole'ng

From: NESTING, DAVID M (SBCSI) (dn3723at_private)
Date: Mon Sep 10 2001 - 08:29:09 PDT

Next message: Kevin Gagel: "Re: Remote Shell Trojan: Threat, Origin and the Solution"

Previous message: Todd Ransom: "Re: WebDAV Propfind? Anyone?"
Maybe in reply to: Florian Piekert: "code red attacks and real-time blackhole'ng"
Next in thread: Sean Hunter: "Re: code red attacks and real-time blackhole'ng"
Next in thread: maggieat_private: "Re: Recent Increase in Port 139 Activity"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

1) TCP and UDP ports have nothing to do with each other, and HTTP is not 
   implemented over UDP, so blocking TCP only is proper.
2) You're piping multi-line data into awk, which prints out one column of 
   that data.  At the command-line, though you rarely notice, multi-line 
   data is treated just like data with spaces between them, so you end up 
   with 10 IP address arguments on the command line there for 10 lines of 
   CodeRed log data.  Take a look at the 'xargs' command, which accepts 
   stdin data and executes a command for each line of data it receives.
3) Due to #2, your `awk` command cannot complete until all of the data 
   from stdin is received.  Since the tail -f never exits, awk sits there 
   waiting for more.  The command line is never completed, so ipchains is 
   never executed.

You probably want something more like (untested, edit to taste and 
specific configuration):

   tail -f /var/log/messages | grep -i codered | grep -v proxy | \
      awk '{ print $11 }' | cut -d: -f1 | \
      xargs -i ipchains -A input -P tcp -s {}/32 -d 0/0 80 -i eth1 -j DENY

But other posters have suggested already-written and already-proven 
techniques to accomplish the same goal.

David

-----Original Message-----
From: Florian Piekert [mailto:floppyat_private]
Sent: Friday, September 07, 2001 18:47
To: incidentsat_private
Subject: code red attacks and real-time blackhole'ng

my idea was as follows:

#!/bin/bash
tail -f /var/log/messages | grep -i "codered" | grep -iv proxy | awk '{print
$11}' | awk -F : '{print $1}'| 
ipchains -A input -s i `awk '{print $1}'`/255.255.255.255 -d 0/0 80 -i eth1
-j DENY --protocol tcp

Several problems now occur (for some of you probably trivialities):

1) the above port 80 blocking makes sense if tcp and udp are blocked or is
tcp sufficient?
2) when I do a tail -n 1000 instead of the tail -f it ipchains bitches
because he gets 1000 (not that many 
ofcourse) ip adresses at once but only wants _1_ argument, not a list.
3) when I do a tail -f nothing happens at all, without the ipchains command
no output is generated at all 
even if new entries in /var/log/messages appear, but if I tail -n 1000
/var/log/messages and use the above 
pipes, I get a neat list of IP addresses...

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Kevin Gagel: "Re: Remote Shell Trojan: Threat, Origin and the Solution"
Previous message: Todd Ransom: "Re: WebDAV Propfind? Anyone?"
Maybe in reply to: Florian Piekert: "code red attacks and real-time blackhole'ng"
Next in thread: Sean Hunter: "Re: code red attacks and real-time blackhole'ng"
Next in thread: maggieat_private: "Re: Recent Increase in Port 139 Activity"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Sep 10 2001 - 08:53:58 PDT