Security Incidents mailing list archives

RE: New Method for Blocking Code Red and Similar Exploits

From: "Mike Batchelor" <mikebat () tmcs net>
Date: Wed, 8 Aug 2001 15:10:36 -0700

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

The bad news is that it consumes ~15% CPU capacity on 7200 class routers,
and
leaves open TCP sessions on the servers it is protecting.  This is because
the router must allow the SYN to pass and the session to be established
before it can see the request URL.  Then it cuts the session off at the
knees, and does not sent a RST to the server, whose session is left hanging
until the stack times it out.

This "cure" can cause problems worse than the disease.  I advise extreme
caution to anyone trying this.

-----Original Message-----
From: Randall S. Benn [mailto:rbenn () clark net]
Sent: Tuesday, August 07, 2001 3:31 PM
To: incidents () securityfocus com
Subject: New Method for Blocking Code Red and Similar Exploits

A new method for blocking Code Red and similar exploits that use
HTTP GET requests has been published.  The method uses new
capabilities within Cisco IOS software.  Read the on-line advisory at:

http://iponeverything.net/CodeRed.html

The beauty of this solution is that it can be used to block Code
Red infections today and can be easily modified with new
signatures in the future using the HTTP sub-port classification
mechanism in IOS.

Randy

------------------------------------------------------------------
----------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com


-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>

iQA/AwUBO3G43EksS4VV8BvHEQJv/QCgyaEcRqBCprySfCQ2/HrR06uAf6wAnRtT
WG34/0xdzaRlADizG+meoYor
=y8p9
-----END PGP SIGNATURE-----


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

New Method for Blocking Code Red and Similar Exploits Randall S. Benn (Aug 07)
- Re: New Method for Blocking Code Red and Similar Exploits Antonio Vasconcelos (Aug 08)
- RE: New Method for Blocking Code Red and Similar Exploits Mike Batchelor (Aug 09)
- <Possible follow-ups>
- Re: New Method for Blocking Code Red and Similar Exploits Nelson Neves (Aug 08)