Mailing List Archive

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

This probably isn't the right place to be answering, so sorry for
being off topic.

We are using Cisco CS-800's (formely Arrowpoint) with a content rule
to block any default.ida's. the requests never even get through to
the server. I don't know if any cisco routers do layer 5 rules
though.

The other option would be to set up a snort rule, and have it add
iptables rules, but with (last figure I heard) 8000 hosts infected,
that's gonna make a lot of rules.

Theo

Theo Zourzouvillys
Internet Consultant

+ Notnet Consultancy [ www.notnet.co.uk ]
- Specialising in Unix security, ISP Start-up and regeneration,
- MySQL solutions, E-commerce, and Load balancing.
+ Notnet.co.uk - Quality web hosting at an affordable price
- http://www.notnet.co.uk/
+ theo@crazygreek.co.uk

- -----Original Message-----
From: netfilter-admin@lists.samba.org
[mailto:netfilter-admin@lists.samba.org] On Behalf Of Advanced
Hosting UNIX Admin Daniel Fairchild
Sent: 07 August 2001 13:52
To: snort-users@lists.sourceforge.net; netfilter@lists.samba.org;
bridge@math.leidenuniv.nl
Subject: Cod Red HELP!!!!

Hello TIA


we are having issues with code red on our unix servers we have 508
IPs per
server and the Code Red scanning is acting like a Massive DDoS on our
unix
machines we are getting all these requests for default.ida and we are
trying
to figure out how to block it

does any one have any sugesstions.


TIA again

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>

iQA/AwUBO2/qs+OPAq8KU5+mEQLpVACfa/Tte8PLuMyJi58ORYo4Vr9sq0wAniAL
srTW9+keQpUlTc/PxP2CW/g0
=8zKJ
-----END PGP SIGNATURE-----

Try to use the string match figure of iptables inside your firewall so
you can drop any packets that contain default.ida string.

Hope this helps,

/me


On Tue, 7 Aug 2001, Advanced Hosting UNIX Admin Daniel Fairchild wrote:

> Hello TIA
>
>
> we are having issues with code red on our unix servers we have 508 IPs per
> server and the Code Red scanning is acting like a Massive DDoS on our unix
> machines we are getting all these requests for default.ida and we are trying
> to figure out how to block it
>
> does any one have any sugesstions.
>
>
> TIA again
>
>

On Tue, 7 Aug 2001, Advanced Hosting UNIX Admin Daniel Fairchild wrote:

> Hello TIA
>
>
> we are having issues with code red on our unix servers we have 508 IPs per
> server and the Code Red scanning is acting like a Massive DDoS on our unix
> machines we are getting all these requests for default.ida and we are trying
> to figure out how to block it
>
> does any one have any sugesstions.

You may want to look at HogWash, it could identify and drop the Code Red
traffic.

http://hogwash.sourceforge.net

lance

Take a look at hogwash, http://hogwash.sourceforge.net. It can drop all
code red scans quite nicely and ease the load on your web servers.

Jed


On Tuesday 07 August 2001 07:18 am, Theo Zourzouvillys wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> This probably isn't the right place to be answering, so sorry for
> being off topic.
>
> We are using Cisco CS-800's (formely Arrowpoint) with a content rule
> to block any default.ida's. the requests never even get through to
> the server. I don't know if any cisco routers do layer 5 rules
> though.
>
> The other option would be to set up a snort rule, and have it add
> iptables rules, but with (last figure I heard) 8000 hosts infected,
> that's gonna make a lot of rules.
>
> Theo
>
> Theo Zourzouvillys
> Internet Consultant
>
> + Notnet Consultancy [ www.notnet.co.uk ]
> - Specialising in Unix security, ISP Start-up and regeneration,
> - MySQL solutions, E-commerce, and Load balancing.
> + Notnet.co.uk - Quality web hosting at an affordable price
> - http://www.notnet.co.uk/
> + theo@crazygreek.co.uk
>
> - -----Original Message-----
> From: netfilter-admin@lists.samba.org
> [mailto:netfilter-admin@lists.samba.org] On Behalf Of Advanced
> Hosting UNIX Admin Daniel Fairchild
> Sent: 07 August 2001 13:52
> To: snort-users@lists.sourceforge.net; netfilter@lists.samba.org;
> bridge@math.leidenuniv.nl
> Subject: Cod Red HELP!!!!
>
> Hello TIA
>
>
> we are having issues with code red on our unix servers we have 508
> IPs per
> server and the Code Red scanning is acting like a Massive DDoS on our
> unix
> machines we are getting all these requests for default.ida and we are
> trying
> to figure out how to block it
>
> does any one have any sugesstions.
>
>
> TIA again
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>
>
> iQA/AwUBO2/qs+OPAq8KU5+mEQLpVACfa/Tte8PLuMyJi58ORYo4Vr9sq0wAniAL
> srTW9+keQpUlTc/PxP2CW/g0
> =8zKJ
> -----END PGP SIGNATURE-----
>
>
> _______________________________________________
> Snort-users mailing list
> Snort-users@lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

> Try to use the string match figure of iptables inside your firewall so
> you can drop any packets that contain default.ida string.

But is the default.ida string isn't in the syn packet - by the time that
string arrives your connection is open and the server just has to respond
with a page not found (as it's a UNIX server I'm guessing it's not running
IIS ;) ) - blocking the packet leaves the connection open. I don't know
ennough about this stuff to know if it's better to let the packet run and
close the connection or block it and leave it open till it times out.

Cheers
Nigel

Yes, you are right. I must have thought at something else when I wrote my
previous e-mail. I fogot that the conection is initiated first and then
the query is sent.

Regards,

/me


On Tue, 7 Aug 2001, Nigel Morse wrote:

>
> > Try to use the string match figure of iptables inside your firewall so
> > you can drop any packets that contain default.ida string.
>
> But is the default.ida string isn't in the syn packet - by the time that
> string arrives your connection is open and the server just has to respond
> with a page not found (as it's a UNIX server I'm guessing it's not running
> IIS ;) ) - blocking the packet leaves the connection open. I don't know
> ennough about this stuff to know if it's better to let the packet run and
> close the connection or block it and leave it open till it times out.
>
> Cheers
> Nigel
>
>

On Tue, 7 Aug 2001, s I n wrote:

> Date: Tue, 7 Aug 2001 21:02:06 +0300 (EEST)
> From: s I n <sin@Aniela.EU.ORG>
> To: Nigel Morse <N.Morse@hyperknowledge.com>
> Cc: Advanced Hosting UNIX Admin Daniel Fairchild <danielf@supportteam.net>,
> snort-users@lists.sourceforge.net, netfilter@lists.samba.org,
> bridge@math.leidenuniv.nl
> Subject: RE: Cod Red HELP!!!!
>
>
>
>

It seems to me that one method of getting rid of code red
is to reconfigure the server so that it does not use port
80. This may or may not be practical with a big machine.
It is only an thought based on the logs of my server on
port 8080. There are no code red entries.

=================================================================
beckman@clone.concordia.ca
Carolyn Beckman
=================================================================

Yes, but the default www port is 80. If you run a big site and you
don't want to be bothered by CodeRed Worm you just can't switch the
default port. The no one will connect to the www server because, unless
you specify this explictly, the web browser will try to make a conncetion
to port 80 of the site. The best way to deal with it (in my opinion) is to
have a firewall to filter out any connection request to port 80 of a
server that contains the default.ida string, something like a Cisco router
(someone on the list said it can do this).


Rehards,

/me


> >
>
> It seems to me that one method of getting rid of code red
> is to reconfigure the server so that it does not use port
> 80. This may or may not be practical with a big machine.
> It is only an thought based on the logs of my server on
> port 8080. There are no code red entries.
>
> =================================================================
> beckman@clone.concordia.ca
> Carolyn Beckman
> =================================================================
>
>

I'm not a Cisco export, but what yuo want is their CSS (content
switch). Does lots of cool stuff, but it's *extremely* expensive (as in
generally in the $200k+ range) so it's probably only within the reach of
relatively large organizations.


On Tue, 7 Aug 2001, s I n wrote:

> Yes, but the default www port is 80. If you run a big site and you
> don't want to be bothered by CodeRed Worm you just can't switch the
> default port. The no one will connect to the www server because, unless
> you specify this explictly, the web browser will try to make a conncetion
> to port 80 of the site. The best way to deal with it (in my opinion) is to
> have a firewall to filter out any connection request to port 80 of a
> server that contains the default.ida string, something like a Cisco router
> (someone on the list said it can do this).

--
Kyle Maxwell
kmaxwell@superpages.com
SuperPages.com Sys Admin

Ouch! Oh, well.... then you can settle with iptables. and try to
limit de incmoing conections to your server to a specified amount per
minute or per second.

/me

On Tue, 7 Aug 2001, Kyle R Maxwell wrote:

> I'm not a Cisco export, but what yuo want is their CSS (content
> switch). Does lots of cool stuff, but it's *extremely* expensive (as in
> generally in the $200k+ range) so it's probably only within the reach of
> relatively large organizations.
>
>
> On Tue, 7 Aug 2001, s I n wrote:
>
> > Yes, but the default www port is 80. If you run a big site and you
> > don't want to be bothered by CodeRed Worm you just can't switch the
> > default port. The no one will connect to the www server because, unless
> > you specify this explictly, the web browser will try to make a conncetion
> > to port 80 of the site. The best way to deal with it (in my opinion) is to
> > have a firewall to filter out any connection request to port 80 of a
> > server that contains the default.ida string, something like a Cisco router
> > (someone on the list said it can do this).
>
> --
> Kyle Maxwell
> kmaxwell@superpages.com
> SuperPages.com Sys Admin
>
>

CSS does the same as 'iptables REDIRECT' . I just saved you $200k ;-) (or
rather the netfilter-authors did!!)
If you want it to work, you start by accepting all connection to port 80, if
the Code Red(or other virus) string appears, add that IP to a block rule to
prevent future connections.. It will at least save you from some of the
storm.. You could even send back an ICMP you have virus message.. We should
RFC that :)

`Allan

On Wednesday 08 August 2001 04:53, you wrote:
> I'm not a Cisco export, but what yuo want is their CSS (content
> switch). Does lots of cool stuff, but it's *extremely* expensive (as in
> generally in the $200k+ range) so it's probably only within the reach of
> relatively large organizations.
>
> On Tue, 7 Aug 2001, s I n wrote:
> > Yes, but the default www port is 80. If you run a big site and you
> > don't want to be bothered by CodeRed Worm you just can't switch the
> > default port. The no one will connect to the www server because, unless
> > you specify this explictly, the web browser will try to make a conncetion
> > to port 80 of the site. The best way to deal with it (in my opinion) is
> > to have a firewall to filter out any connection request to port 80 of a
> > server that contains the default.ida string, something like a Cisco
> > router (someone on the list said it can do this).

-------------------------------------------------------

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> CSS does the same as 'iptables REDIRECT' . I just saved you $200k
> ;-) (or
> rather the netfilter-authors did!!)

plus *a lot* more than iptables can, sad to say... iptables is come
up there is the CSS, and it's competitors, but its not quiet there
yet :(


Theo


Theo Zourzouvillys
Internet Consultant

+ Notnet Consultancy [ www.notnet.co.uk ]
- Specialising in Unix security, ISP Start-up and regeneration,
- MySQL solutions, E-commerce, and Load balancing.
+ Notnet.co.uk - Quality web hosting at an affordable price
- http://www.notnet.co.uk/
+ theo@crazygreek.co.uk

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>

iQA/AwUBO3EOzeOPAq8KU5+mEQIOxgCg71WGTxJd/G46CaqptMhe2Yh1O0gAn2oF
I5Q9j5U3X4xXsx2ugdmZdru4
=2oSa
-----END PGP SIGNATURE-----

On Tue, 7 Aug 2001, Kyle R Maxwell wrote:

> I'm not a Cisco export, but what yuo want is their CSS (content
> switch). Does lots of cool stuff, but it's *extremely* expensive (as in
> generally in the $200k+ range) so it's probably only within the reach of
> relatively large organizations.

Even cheaper: Alteon 180e. ~$7k Layer 7 switching. :) Very handy feature.
But, it's not the end-all be-all!

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net