Security Incidents mailing list archives
Re: New Method for Blocking Code Red and Similar Exploits
From: "Nelson Neves" <nneves () convex pt>
Date: Wed, 08 Aug 2001 06:07:23 +0100
Hi Randy, We implemented the 2nd approach. The 1st approach you referred didn't worked out, because even after we issued the service-policy command on the interface, the policy-map didn't get associated with it. Probably a minor IOS problem/bug, but in this case, I think the 2nd approach is better in terms of cpu consumption. Replying to your 2nd question, we have the logs before and after the implementation of NBAR. About this situatin, please keep in mind that we also have an extended ACL on the serial interface (a 256Kb frame-relay link) blocking almost everything except www (and some other services) for our web servers. Nonetheless, today we had some 400 hits or so directly on the web servers, and as we could see in the log files, the data of the packets were Code Red I and Code Red II fingerprints, but after the policy configuration, we are only getting HTTP 408 logs, nothing else :-) we're currently monitoring the log files of the web servers and our Internet router, and fortunatelly, it appears that the effects of the worm are getting dumped big time :-) Show proc before NBAR: CPU utilization for five seconds: 0%/0%; one minute: 0%; five minutes: 0% Show proc after NBAR and CEF: CPU utilization for five seconds: 6%/3%; one minute: 4%; five minutes: 3% So, there's no big incrementation of the percentage of cpu consumption, but we'll keep an eye on it. Very best regards, Nelson Bruno S. Neves ------------------------------------------------------------------------ Systems Engineer Cisco Certified Network Professional, Security, Voice and ATM Specialist Convex Portugal Taguspark - Edificio Ciencia II, Nr.2, Piso 2 2780-920 Porto Salvo - Portugal Telefone: ++351 21 4229200 Fax: ++351 21 4223787 www: http://convex.pt e-mail: nneves () convex pt ICQ# 86937816 ------------------------------------------------------------------------ ----- Original Message ----- From: "Randy Benn" <rbenn () cisco com> Date: Wednesday, August 8, 2001 4:00 am Subject: Re: New Method for Blocking Code Red and Similar Exploits
Antonio, Thanks for the feedback. I've included a note about the need to turn on CEF in the latest version of the advisory. Already had it on in my router for NBAR protocol discovery, so I forgot to add it to the sample configs. Also, thanks for the tip on the IOS versions. I've got minimum versionslisted, perhaps I'll add a note about deferred releases, but that's a whole different ball game altogether. A couple more questions for you: 1) Did you implement the filtering (approach #1) or policing (approach #2) solution? 2) Do you have any befor Thanks, Randy ----- Original Message ----- From: "Antonio Vasconcelos" <vasco () convex pt> To: "Randall S. Benn" <rbenn () clark net> Cc: <incidents () securityfocus com>; <nneves () convex pt> Sent: Tuesday, August 07, 2001 10:46 PM Subject: Re: New Method for Blocking Code Red and Similar ExploitsHi Randy, We are currently trying the solution (it's 3.30 am here in PT) youprovidedand we're happy to say that it works perfectly. The URL thatcomes with theCode Red is dropped without any questions asked and the logshows a 408reply (Request Timed Out, according to the HTTP RFC) on the webserverlog,keeping the content out. You can check out the output from thelog below.Before implementing NBAR: 194.x.x.x- - [0>/default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX>
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%
u9090%u68
58%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%
u53ff%
u0078%u0000%u00=aHTTP/1.0" 404 889 After implementing NBAR: 194.x.x.x- - [0> So it's ok to go ahead and spread the word ;-) just one thing... youforgot to mention that IP Cef has to be configured for thepolicy map towork, like this: Router(config)#ip cef Router(config)#int s0/0 Router(config-if)#ip route-cache cef It's a bit hard on the processor, but we can't make omelets without breaking some eggs :-). Last, but not least, IOS version12.1(5)T isdeferred, so we'd recommend using version 12.1(5)T9 instead.It's testedand working on a 2600 platform. Thanks for the tip and best regards, Antonio Vasconcelos & Nelson Neves At 18:31 2001.08.07 -0400, Randall S. Benn wrote:A new method for blocking Code Red and similar exploits thatuse HTTP GETrequests has been published. The method uses new capabilitieswithin> >Cisco IOS software. Read the on-line advisory at:http://iponeverything.net/CodeRed.html The beauty of this solution is that it can be used to blockCode Redinfections today and can be easily modified with new signaturesin thefuture using the HTTP sub-port classification mechanism in IOS. Randy--------------------------------------------------------------------------- -This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http:
---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- New Method for Blocking Code Red and Similar Exploits Randall S. Benn (Aug 07)
- Re: New Method for Blocking Code Red and Similar Exploits Antonio Vasconcelos (Aug 08)
- RE: New Method for Blocking Code Red and Similar Exploits Mike Batchelor (Aug 09)
- <Possible follow-ups>
- Re: New Method for Blocking Code Red and Similar Exploits Nelson Neves (Aug 08)