Security Incidents mailing list archives
RE: Possible way to avoid unknown IIS vulnerabilities
From: "Michael Katz" <mike () responsible com>
Date: Thu, 9 Aug 2001 22:20:19 -0700
On Wednesday, August 08, 2001 11:31 PM, Mark Lewis wrote:
While poking around in my logs following Code Red I started noticing that there were no entries indicating any attempts. Not fully believing this I went ahead and got Snort back up and running and waited 10 min and I already had 17 hits. After thinking a bit I came to the conclusion that the cause for this is host headers. Now, how this applies to future vulnerabilities is this: most of these script based attacks generate random IPs, so if you use host headers even if only one site is present it would require a name to tell the web server which dir to send the request to. Not sure how effective this would be against Unicode type exploits, but I feel it would have helped with CR. Should be able to accomplish the same thing with Apache too..... Any thoughts or experiences?
Mark, Using host headers on IIS servers will likely protect you from more than 90% of the attacks that are currently circulating, as most of them rely on scanning and exploitation via http://yourIPaddress. This is particularly true for Code Red v1 and v2, the sadmind/IIS worm, the new Code Red II worm and the common scripted scans for decoding vulnerabilities. However, you should take the following into consideration: 1) It won't protect you from people who use search engines to find potentially vulnerable servers and attackers who have targeted your server; 2) You should not allow this additional layer of protection to lull you into a false sense of security - secure configuration of IIS including removal of unused server extension mappings and default virtual directories and application of current patches is still needed; and 3) Your server will no longer log any of the scans and attempts that use the IP address. In the absence of IDS, web server access logs are a useful tool for knowing what is out there and what is trying to get into your server. Michael Katz mike () responsible com Responsible Solutions, Ltd. ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Possible way to avoid unknown IIS vulnerabilities Mark A Lewis (Aug 09)
- RE: Possible way to avoid unknown IIS vulnerabilities Michael Katz (Aug 10)
- Re: Possible way to avoid unknown IIS vulnerabilities Mike Lewinski (Aug 10)
- RE: Possible way to avoid unknown IIS vulnerabilities Michael Katz (Aug 10)