Re: a real way to stop an http based worm

["The Crocodile" <tcroc () cow pasture com>]

The router ACL solution really depends upon the size and design of your
network.  For example I am currently employed at a VERY large network (Read
as one of the single largest in the US).  When code red II hit us inside our
perimeter we used router ACLs to block port 80 in its entirety in our
Intranet  (We have proxies for valid traffic).  However we could not
implement any more additional ACL's, especially ACL's that did any type of
packet inspection at a more detailed level.  That would have been VERY
detrimental to our networks health.  We did try to do additional router ACLs
and sure enough the entire router ground to a halt.  With time and patience
we managed to contain and eradicate.  ACLs on 80 helped but was only a small
subset of the solution.  When you are in an environment as big as ours
normal solutions usually won't cut the mustard :{

It is a very good solution but one that will not work in every environment
(Trust me I wish it did)

--TCroc

----- Original Message -----
From: "Jose Nazario" <jose () biocserver BIOC cwru edu>
To: "Gert-Jan Hagenaars" <blender () hagenaars com>
Cc: <vuln-dev () securityfocus com>
Sent: Friday, September 07, 2001 2:47 PM
Subject: Re: a real way to stop an http based worm


> On Fri, 7 Sep 2001, Gert-Jan Hagenaars wrote:
>
> > Can this be done on the web-proxy boxes that the ISPs have on their
> > networks?  I.e. dunk anything that looks for "/default.ida?blah"?
>
> yep. reverse proxies can be configured to do this. and cisco ACLs can
> already reset/block such connections i believe.
>
> in short a good idea, and one that can already be implemented.
>
> ____________________________
> jose nazario      jose () cwru edu
>            PGP: 89 B0 81 DA 5B FD 7E 00  99 C3 B2 CD 48 A0 07 80
>        PGP key ID 0xFD37F4E5 (pgp.mit.edu)