>> There's no way to stop the requests coming in, >> as you have no idea where to expect them from. >> You can blackhole or deny hosts as you find their >> IPs, but I get hit from all over the net, all day, >> every day. Although I dont use these methods myself, there are ways to filter Nimda (and similar signatures) before they reach your servers. These options are best deployed in situations when your bandwidth may be limited, for example in small to medium sized companies to maximise usage of links for 'official' business. Bear in mind though, that these methods will use up cpu cycles and other resources on the hardware performing the filtering, and of course they would need to be implemented at the ISP's end of the link. These are just examples, which can be modified to match any signatures, for example Nimda: 1. Use Cisco Network-based application recognition (NBAR) to filter readme.eml files from being downloaded. Here's an example for configuring NBAR: Router(config)#class-map match-any http-hacks Router(config-cmap)#match protocol http url "*cmd.exe*" Once you have matched the traffic, you can choose to discard or Policy Based Route the traffic to monitor infected hosts. 2. Using IPTables (v1.2.3 or higher) $IPTABLES -I INPUT -p tcp --dport 80 -m string --string .exe? \ -mstate --state ESTABLISHED -j REJECT --reject-with tcp-reset Best regards, John Swarbrick Senior Linux Engineer Phoenix Networks Ltd Phone: 01332 680000 Email: john.swarbrickat_private Web: http://www.pnl.co.uk ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Feb 27 2002 - 15:05:11 PST