[42695] in North American Network Operators' Group
Blocking nimda probes with a content-layer switch
daemon@ATHENA.MIT.EDU (Joe Abley)
Wed Sep 19 00:37:02 2001
Date: Wed, 19 Sep 2001 00:32:50 -0400
From: Joe Abley <jabley@automagic.org>
To: nanog@merit.edu
Message-ID: <20010919003249.L85635@buffoon.automagic.org>
Reply-To: jabley@automagic.org
Mail-Followup-To: jabley@automagic.org
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Errors-To: owner-nanog-outgoing@merit.edu
Has anybody tried to block nimda HTTP GET probes using URL
pattern matches in a "layer-4-7"[1] switch?
The ideal result is to prevent nimda GET probes from ever
reaching the destination address, but causing the session
to be reset towards the server after the open handshake but
before the GET can be sent to the server would be acceptably
useful.
Particularly whether it's possible on a cisco/Arrowpoint switch,
but it would be interesting to know about other vendors too.
Please reply directly, will summarise if there are answers to
share.
Thanks!
[1] substitute phrase-du-jour as appropriate
