RE: Code Red -- AGAIN?!?

From: Reeves, Michael (GEAE, Compaq) (michael.reeves@ae.ge.com)
Date: 12/03/01 

From: "Reeves, Michael (GEAE, Compaq)" <michael.reeves@ae.ge.com>
To: "'H C'" <keydet89@yahoo.com>, "'incidents@securityfocus.com'" <incidents@securityfocus.com>
Date: Mon, 3 Dec 2001 09:51:38 -0500

HC,

        Here is the link to cisco's website on how to accomplish this. Also
here are my stats for about 4 days. I have had this implemented for almost a
week now with no problems. I only have this on one of my external routers to
see if there are any performance problems but everything has been cool and
the gang. I should be implementing on router #2 this week. Hope this helps!

Mike

http://www.cisco.com/warp/public/63/nimda.shtml

 FastEthernet1/0

  Service-policy input: drop-inbound-http-hacks

    Class-map: http-hacks (match-any)
      35725 packets, 2203431 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: protocol http url "*.ida*"
        59 packets, 29294 bytes
        5 minute rate 0 bps
      Match: protocol http url "*cmd.exe*"
        30464 packets, 1856152 bytes
        5 minute rate 0 bps
      Match: protocol http url "*root.exe*"
        5202 packets, 317985 bytes
        5 minute rate 0 bps
      Match: protocol http url "*readme.eml*"
        0 packets, 0 bytes
        5 minute rate 0 bps
      

-----Original Message-----
From: H C [mailto:keydet89@yahoo.com]
Sent: Friday, November 30, 2001 4:09 PM
To: Reeves, Michael (GEAE, Compaq); 'incidents@securityfocus.com'
Subject: RE: Code Red -- AGAIN?!?

Mike,

> I have seen a steady stream of CR, CRII, and nimda
> since thier inception.
> Some days worse than others but I filter it out at
> the routers. Over 40,000
> instances in the last week :)

Are you saying that your *router* does stateful
inspection? Or when you say "filter it out at the
routers", are you saying that you are blocking port 80
requests all together b/c you don't have a web server
running? If so, how do you know that the traffic is
CR/CRII/Nimda, if you can't see the URL being
requested?

__________________________________________________
Do You Yahoo!?
Yahoo! GeoCities - quick and easy web site hosting, just $8.95/month.
http://geocities.yahoo.com/ps/info1

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

Relevant Pages

  • Re: [2.4 PATCH] bugfix: ARP respond on all devices
    ... >> requests from valid IP numbers. ... least some routers, and the patch eliminated the problem. ... I later changed to using source routing, since the number of IPs was ... send the line "unsubscribe linux-kernel" in ...
    (Linux-Kernel)
  • Re: Multi DHCP Scopes across Fiber M.A.N.
    ... Set an ip helper address on each router to forward the DHCP requests to ... Cisco 1841 routers holding fiberoptic metro area network connections ... All four locations connected together via fiber optic metro area network ...
    (microsoft.public.windows.server.networking)
  • Re: Easy newbie question about subnets
    ... So if i were to replace my switches with routers, ... When forwarding the requests, ... will the DHCP server know which router is forwarding the requests, ...
    (microsoft.public.windows.server.networking)
  • Re: All routes to freebsd are dead
    ... no matter my location; all routes to freebsd.org appear to ... the route to freebsd.org appears to be provided by Yahoo ... Bouncing the routers and switches here have no affect. ...
    (freebsd-stable)
  • changing routers and switchs passwords remotely
    ... password of the swithces and routers once ... each three monthes I an looking for a cheap utility or ... Do You Yahoo!? ... Mail has the best spam protection around ...
    (Security-Basics)
Quantcast