Security Incidents mailing list archives

Re: New Method for Blocking Code Red and Similar Exploits

From: "Antonio Vasconcelos" <vasco () convex pt>
Date: Wed, 08 Aug 2001 03:46:55 +0100

Hi Randy,

We are currently trying the solution (it's 3.30 am here in PT) you providedand we're happy to say that it works perfectly. The URL that comes with theCode Red is dropped without any questions asked and the log shows a 408reply (Request Timed Out, according to the HTTP RFC) on the web server log,keeping the content out. You can check out the output from the log below.


Before implementing NBAR:

194.x.x.x- - [08/Aug/2001:03:13:31 +0000] "GET/default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7

801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=aHTTP/1.0" 404 889



After implementing NBAR:

194.x.x.x- - [08/Aug/2001:03:34:17 +0000] "-" 408 -

So it's ok to go ahead and spread the word ;-) just one thing ... youforgot to mention that IP Cef has to be configured for the policy map towork, like this:


Router(config)#ip cef
Router(config)#int s0/0
Router(config-if)#ip route-cache cef

It's a bit hard on the processor, but we can't make omelets withoutbreaking some eggs :-). Last, but not least, IOS version 12.1(5)T isdeferred, so we'd recommend using version 12.1(5)T9 instead. It's testedand working on a 2600 platform.


Thanks for the tip and best regards,
Antonio Vasconcelos & Nelson Neves

At 18:31 2001.08.07 -0400, Randall S. Benn wrote:

A new method for blocking Code Red and similar exploits that use HTTP GETrequests has been published. The method uses new capabilities withinCisco IOS software. Read the on-line advisory at:
http://iponeverything.net/CodeRed.html
The beauty of this solution is that it can be used to block Code Redinfections today and can be easily modified with new signatures in thefuture using the HTTP sub-port classification mechanism in IOS.
Randy


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.

For more information on this free incident handling, managementand tracking system please see: http://aris.securityfocus.com

Current thread:

New Method for Blocking Code Red and Similar Exploits Randall S. Benn (Aug 07)
- Re: New Method for Blocking Code Red and Similar Exploits Antonio Vasconcelos (Aug 08)
- RE: New Method for Blocking Code Red and Similar Exploits Mike Batchelor (Aug 09)
- <Possible follow-ups>
- Re: New Method for Blocking Code Red and Similar Exploits Nelson Neves (Aug 08)