Vulnerability Development mailing list archives
Re: a real way to stop an http based worm
From: "The Crocodile" <tcroc () cow pasture com>
Date: Fri, 7 Sep 2001 19:36:48 -0700
The router ACL solution really depends upon the size and design of your network. For example I am currently employed at a VERY large network (Read as one of the single largest in the US). When code red II hit us inside our perimeter we used router ACLs to block port 80 in its entirety in our Intranet (We have proxies for valid traffic). However we could not implement any more additional ACL's, especially ACL's that did any type of packet inspection at a more detailed level. That would have been VERY detrimental to our networks health. We did try to do additional router ACLs and sure enough the entire router ground to a halt. With time and patience we managed to contain and eradicate. ACLs on 80 helped but was only a small subset of the solution. When you are in an environment as big as ours normal solutions usually won't cut the mustard :{ It is a very good solution but one that will not work in every environment (Trust me I wish it did) --TCroc ----- Original Message ----- From: "Jose Nazario" <jose () biocserver BIOC cwru edu> To: "Gert-Jan Hagenaars" <blender () hagenaars com> Cc: <vuln-dev () securityfocus com> Sent: Friday, September 07, 2001 2:47 PM Subject: Re: a real way to stop an http based worm
On Fri, 7 Sep 2001, Gert-Jan Hagenaars wrote:Can this be done on the web-proxy boxes that the ISPs have on their networks? I.e. dunk anything that looks for "/default.ida?blah"?yep. reverse proxies can be configured to do this. and cisco ACLs can already reset/block such connections i believe. in short a good idea, and one that can already be implemented. ____________________________ jose nazario jose () cwru edu PGP: 89 B0 81 DA 5B FD 7E 00 99 C3 B2 CD 48 A0 07 80 PGP key ID 0xFD37F4E5 (pgp.mit.edu)
Current thread:
- a real way to stop an http based worm Gert-Jan Hagenaars (Sep 07)
- Re: a real way to stop an http based worm Jose Nazario (Sep 07)
- Re: a real way to stop an http based worm abel (Sep 07)
- Re: a real way to stop an http based worm The Crocodile (Sep 07)
- Re: a real way to stop an http based worm Jose Nazario (Sep 07)