nimda and string match [Re: apache and nimbda]

From: Vincent Haverlant (99.vincent.haverlant@aist.enst.fr)
Date: 02/05/02


Date: Tue, 5 Feb 2002 19:24:38 +0100
From: Vincent Haverlant <99.vincent.haverlant@aist.enst.fr>
To: "William N. Zanatta" <william@veritel.com.br>

Le Fri, Feb 01, 2002 at 06:53:02PM -0200, William N. Zanatta a écrit:
| David,
[netfilter-howto snip]
| I was encouraged to apply it to my firewall but now I'm in doubt about
| doing that.
|
| >Tommaso,
| >
| >How did you do that? I have iptables v1.2.5 on a 2.4.17
| >and is not working for me. I did not see the "--string"
| >option on iptables man page.
|

It is true to say that the string match will not be useful to you to
avoid nimda making requests on your apache server. Moreover you will
still get some logs in apache because the SYN paquet will reach your
box and thus open the connection on apache. After that all the paquets
which contain the request made by nimda will be DROPED by your string
match rule but it's too late, Apache will be waiting for something on
the other side. That way you will get many open connection waiting for
some event and will eventually fall in timeout.
Bad effects:
        - many open and idle connection on apache
        - still some logs because of these connection which end in
          timeout.

If the reason why you want to block nimda is the amount of log, then use
apache customizable functionality which as already been mentioned here.

If you want to block nimda to protect a bunch of IIS servers which could
sit behind your firewall, I think you should use a proxy like squid and
set ACLs based on the request itself. A second good reason why you
should use squid is that it is able to decode UCS2 requests or mixed
ascii/UCS2 requests, which iptables would not be able to do.

My 2c

Vincent.

-- 
   .~.   	Vincent Haverlant  -- Galadril -- #ICQ: 35695155   
   /V\   	MUD -- FranDUMII (telnet:frandum.enst.fr:2001)
  /( )\  	Parinux (www.parinux.org)
  ^^-^^  "There is no system but GNU, and Linux is one of its kernels"



Relevant Pages

  • Apache/Tomcat Denial Of Service And Information Leakage Vulnerability
    ... mod_jk 1.2 using Apache Jserv Protocol 1.3 ... Tomcat 4.x Server ... A client may connect to the target machine and deliver several requests ... response back over the connection. ...
    (Bugtraq)
  • Re: [PHP] problem with url_fopen on free hosting environment
    ... I just blocked all tcp requests on port 80 and 443 comming from my own outside IP. ... I know it just limits new connections, and I thought this would work out, but it didn't. ... There's also mod_bandwidth for Apache, not included in the aforementioned topic. ... "All information in this email message, including images, attachments, contains confidential and proprietary information of BESTPLACE CORPORATION and should only be used or serves for the intended purpose and should not be copied, used or disclosed to anyone other than the sole recipient of this e-mail message." ...
    (php.general)
  • Re: Thoughts on mod_lisp
    ... >> lisp based server. ... > (which uses sockets to connect to apache) or mod_proxy. ... 0.68 (mean, across all concurrent requests) ...
    (comp.lang.lisp)
  • Re: [Full-disclosure] Apache Illegal Request Handling Possible XSS Vulnerability
    ... So that implies that Apache is being slightly lax in passing arbitrary ... I think that server should have a list of valid requests. ... as request and protocol makes no sense. ... Albion Wharf, 19 Albion Street, Manchester, M1 5LN, England ...
    (Full-Disclosure)
  • [UNIX] Apache/Tomcat Denial of Service and Information Leakage Vulnerability
    ... Beyond Security would like to welcome Tiscali World Online ... Apache has been the most popular web server on the Internet for the ... A client may connect to the target machine and deliver several requests ... and again sends a second response back to mod_jk. ...
    (Securiteam)