Re: "Nimda"?

From: John.Swarbrick@pnl.co.uk
Date: 02/27/02 

To: "'incidents@securityfocus.com'" <incidents@securityfocus.com>
From: John.Swarbrick@pnl.co.uk
Date: Wed, 27 Feb 2002 17:03:44 +0000

>> There's no way to stop the requests coming in,
>> as you have no idea where to expect them from.
>> You can blackhole or deny hosts as you find their
>> IPs, but I get hit from all over the net, all day,
>> every day.

  Although I dont use these methods myself, there are
ways to filter Nimda (and similar signatures) before
they reach your servers. These options are best deployed
in situations when your bandwidth may be limited, for
example in small to medium sized companies to maximise
usage of links for 'official' business. Bear in mind
though, that these methods will use up cpu cycles and
other resources on the hardware performing the filtering, and
of course they would need to be implemented at the ISP's
end of the link.

  These are just examples, which can be modified to match
any signatures, for example Nimda:

1. Use Cisco Network-based application recognition (NBAR)
to filter readme.eml files from being downloaded. Here's
an example for configuring NBAR:

Router(config)#class-map match-any http-hacks
Router(config-cmap)#match protocol http url "*cmd.exe*"

  Once you have matched the traffic, you can choose to
discard or Policy Based Route the traffic to monitor
infected hosts.

2. Using IPTables (v1.2.3 or higher)

$IPTABLES -I INPUT -p tcp --dport 80 -m string --string .exe? \
 -mstate --state ESTABLISHED -j REJECT --reject-with tcp-reset

Best regards,

John Swarbrick
Senior Linux Engineer

Phoenix Networks Ltd
Phone: 01332 680000
Email: john.swarbrick@pnl.co.uk
Web: http://www.pnl.co.uk

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com