Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Possible way to avoid unknown IIS vulnerabilities

From: "Michael Katz" <mike () responsible com>
Date: Thu, 9 Aug 2001 22:20:19 -0700
On Wednesday, August 08, 2001 11:31 PM, Mark Lewis wrote:


While poking around in my logs following Code Red I started noticing that
there were no entries indicating any attempts. Not fully believing this I
went ahead and got Snort back up and running and waited 10 min and I already
had 17 hits. After thinking a bit I came to the conclusion that the cause
for this is host headers. Now, how this applies to future vulnerabilities is
this: most of these script based attacks generate random IPs, so if you use
host headers even if only one site is present it would require a name to
tell the web server which dir to send the request to. Not sure how effective
this would be against Unicode type exploits, but I feel it would have helped
with CR. Should be able to accomplish the same thing with Apache too.....
Any thoughts or experiences?


Mark,

Using host headers on IIS servers will likely protect you from more than 90% of the attacks that are currently 
circulating, as most of them rely on scanning and exploitation via http://yourIPaddress.  This is particularly true for 
Code Red v1 and v2, the sadmind/IIS worm, the new Code Red II worm and the common scripted scans for decoding 
vulnerabilities.  However, you should take the following into consideration: 1) It won't protect you from people who 
use search engines to find potentially vulnerable servers and attackers who have targeted your server; 2) You should 
not allow this additional layer of protection to lull you into a false sense of security - secure configuration of IIS 
including removal of unused server extension mappings and default virtual directories and application of current 
patches is still needed; and 3) Your server will no longer log any of the scans and attempts that use the IP address.  
In the absence of IDS, web server access logs are a useful tool for knowing what is out there and what is trying to get 
into your server.

Michael Katz
mike () responsible com
Responsible Solutions, Ltd.


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: