[42698] in North American Network Operators' Group

home help back first fref pref prev next nref lref last post

Re: Blocking nimda probes with a content-layer switch

daemon@ATHENA.MIT.EDU (Lincoln Dale)
Wed Sep 19 03:03:43 2001

Message-Id: <4.3.2.7.2.20010918234207.02b7ba40@203.9.111.130>
Date: Tue, 18 Sep 2001 23:59:14 -0700
To: jabley@automagic.org
From: Lincoln Dale <ltd@interlink.com.au>
Cc: nanog@merit.edu
In-Reply-To: <20010919003249.L85635@buffoon.automagic.org>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
Errors-To: owner-nanog-outgoing@merit.edu


At 12:32 AM 19/09/2001 -0400, Joe Abley wrote:
>Has anybody tried to block nimda HTTP GET probes using URL
>pattern matches in a "layer-4-7"[1] switch?

note that this worm uses multiple methods for spreading - email and 
HTTP.  these methods are only addressing the HTTP side of things:


NBAR (Network Based Application Recognition) in IOS:
         existing CodeRed NBAR settings will block the HTTP probes.
         see http://www.cisco.com/warp/public/63/nbar_acl_codered.shtml

Cisco Content Engine:
         rule enable
         rule block url-regex http://.*/cmd\.exe
         rule block url-regex http://.*/root\.exe

Cisco CSS11K (Content Services switch):
         service dummy
           ip address 10.1.1.1
           keepalive type none
           active
         !
         header-field-group cmd.exe
           header-field cmd.exe request-line contain "cmd.exe"
         header-field-group root.exe
          header-field root.exe request-line contain "root.exe"
         !
         content block_cmd.exe
          protocol tcp
          port 80
          url "/*"
          header-field-rule cmd.exe
          add service dummy
          active
         content block_root.exe
          protocol tcp
          port 80
          url "/*"
          header-field-rule root.exe
          add service dummy
          active

>The ideal result is to prevent nimda GET probes from ever
>reaching the destination address, but causing the session
>to be reset towards the server after the open handshake but
>before the GET can be sent to the server would be acceptably
>useful.

note that only the CSS and the CE in the above will actually prevent the 
'tcp syn' from propogating, and they'll establish the tcp 3-way handshake, 
receive the HTTP headers and then match the request to be an "attack".
NBAR will only match the headers on connections that successfully establish 
a 3-way handshake.  (NBAR won't cause the router to spoof the TCP setup - 
so-called delayed-binding).


cheers,

lincoln.
home help back first fref pref prev next nref lref last post