Re: New Method for Blocking Code Red and Similar Exploits

["Nelson Neves" <nneves () convex pt>]

Hi Randy,

We implemented the 2nd approach. The 1st approach you referred didn't 
worked out, because even after we issued the service-policy command on 
the interface, the policy-map didn't get associated with it. Probably a 
minor IOS problem/bug, but in this case, I think the 2nd approach is 
better in terms of cpu consumption. Replying to your 2nd question, we 
have the logs before and after the implementation of NBAR. About this 
situatin, please keep in mind that we also have an extended ACL on the 
serial interface (a 256Kb frame-relay link) blocking almost everything 
except www (and some other services) for our web servers. Nonetheless, 
today we had some 400 hits or so directly on the web servers, and as we 
could see in the log files, the data of the packets were Code Red I and 
Code Red II fingerprints, but after the policy configuration, we are 
only getting HTTP 408 logs, nothing else :-) we're currently monitoring 
the log files of the web servers and our Internet router, and 
fortunatelly, it appears that the effects of the worm are getting 
dumped big time :-)

Show proc before NBAR:

CPU utilization for five seconds: 0%/0%; one minute: 0%; five minutes: 
0%


Show proc after NBAR and CEF:

CPU utilization for five seconds: 6%/3%; one minute: 4%; five minutes: 
3%

So, there's no big incrementation of the percentage of cpu consumption, 
but we'll keep an eye on it.

Very best regards,
Nelson Bruno S. Neves
------------------------------------------------------------------------
Systems Engineer
Cisco Certified Network Professional, Security, Voice and ATM Specialist

Convex Portugal
Taguspark - Edificio Ciencia II, Nr.2, Piso 2
2780-920 Porto Salvo - Portugal
Telefone: ++351 21 4229200
Fax: ++351 21 4223787
www: http://convex.pt
e-mail: nneves () convex pt
ICQ# 86937816
------------------------------------------------------------------------

----- Original Message -----
From: "Randy Benn" <rbenn () cisco com>
Date: Wednesday, August 8, 2001 4:00 am
Subject: Re: New Method for Blocking Code Red and Similar Exploits

> Antonio,
>
> Thanks for the feedback.  I've included a note about the need to 
> turn on CEF
> in the latest version of the advisory.  Already had it on in my 
> router for
> NBAR protocol discovery, so I forgot to add it to the sample configs.
>
> Also, thanks for the tip on the IOS versions.  I've got minimum 
> versionslisted, perhaps I'll add a note about deferred releases, 
> but that's a whole
> different ball game altogether.
>
> A couple more questions for you:
>
> 1) Did you implement the filtering (approach #1) or policing 
> (approach #2)
> solution?
>
> 2) Do you have any befor
> Thanks,
>
> Randy
>
>
> ----- Original Message -----
> From: "Antonio Vasconcelos" <vasco () convex pt>
> To: "Randall S. Benn" <rbenn () clark net>
> Cc: <incidents () securityfocus com>; <nneves () convex pt>
> Sent: Tuesday, August 07, 2001 10:46 PM
> Subject: Re: New Method for Blocking Code Red and Similar Exploits
>
>
> > Hi Randy,
> >
> > We are currently trying the solution (it's 3.30 am here in PT) you
> provided
> > and we're happy to say that it works perfectly. The URL that 
> comes with
> the
> > Code Red is dropped without any questions asked and the log 
> shows a 408
> > reply (Request Timed Out, according to the HTTP RFC) on the web 
> serverlog,
> > keeping the content out. You can check out the output from the 
> log below.
> > Before implementing NBAR:
> >
> > 194.x.x.x- - [0> 
> /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX>
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXX
> XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> >
> XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%
u9090%u68
> 58%ucbd3%u7801%u9090%u6858%ucbd3%u7
> >
> 801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%
u53ff%
> u0078%u0000%u00=a
> > HTTP/1.0" 404 889
> >
> >
> > After implementing NBAR:
> >
> > 194.x.x.x- - [0>
> > So it's ok to go ahead and spread the word ;-) just one thing 
> ... you
> > forgot to mention that IP Cef has to be configured for the 
> policy map to
> > work, like this:
> >
> > Router(config)#ip cef
> > Router(config)#int s0/0
> > Router(config-if)#ip route-cache cef
> >
> > It's a bit hard on the processor, but we can't make omelets without
> > breaking some eggs :-). Last, but not least, IOS version 
> 12.1(5)T is
> > deferred, so we'd recommend using version 12.1(5)T9 instead. 
> It's tested
> > and working on a 2600 platform.
> >
> > Thanks for the tip and best regards,
> > Antonio Vasconcelos & Nelson Neves
> >
> > At 18:31 2001.08.07 -0400, Randall S. Benn wrote:
> > > A new method for blocking Code Red and similar exploits that 
> use HTTP GET
> > > requests has been published.  The method uses new capabilities 
> within> >Cisco IOS software.  Read the on-line advisory at:
> > > http://iponeverything.net/CodeRed.html
> > >
> > > The beauty of this solution is that it can be used to block 
> Code Red
> > > infections today and can be easily modified with new signatures 
> in the
> > > future using the HTTP sub-port classification mechanism in IOS.
> > >
> > > Randy
> >
> > ------------------------------------------------------------------
> ---------
> -
> > > This list is provided by the SecurityFocus ARIS analyzer service.
> > > For more information on this free incident handling, management
> > > and tracking system please see: http:


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com