[42738] in North American Network Operators' Group
Re: Using NBAR to block Nimda
daemon@ATHENA.MIT.EDU (Daniel Senie)
Wed Sep 19 23:30:22 2001
Message-Id: <5.1.0.14.2.20010919232410.00a3e830@mail.amaranth.net>
Date: Wed, 19 Sep 2001 23:29:10 -0400
To: "Randy Benn" <rbenn@clark.net>, "Dan Hollis" <goemon@anime.net>,
"Alex Yeung" <alyeung@cisco.com>
From: Daniel Senie <dts@senie.com>
Cc: "Matthew E. Martini" <martini@invision.net>, <nanog@merit.edu>
In-Reply-To: <001f01c1417b$871dbb20$1601010a@netpliance>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
Errors-To: owner-nanog-outgoing@merit.edu
At 10:25 PM 9/19/01, Randy Benn wrote:
>The basics of using NBAR as an IDS can be found here:
>http://iponeverything.net/CodeRed.html
>
>The page above is specifically for Code Red, but the same technique can be
>used for blocking many different exploits. Just modify the class map as you
>like to block Nimda or anything else.
I'm presently running using the policy map config example, and having some
real problems. While the traffic is no longer getting to the servers, the
servers wind up with massive quantities of open TCP sessions. These take
long enough to die that Apache winds up maxing out on processes. Two
possible alternative approaches that I'd like to explore:
1. Some mechanism that builds on the present stuff, but sends a TCP RST off
to the web server to get the TCP session terminated.
2. Alternative approach: use the timed access lists to place a temporary
filter rule into the input filter for any IP address which matches on URL.
This would protect the servers better, in that it'd block the TCP
connections (after the first one) from a server entirely. This wasn't an
issue really for CodeRed, but is a major issue for nimda, since it opens
many connections.
If anyone has insight on how to implement either of these, I'd like to hear
about it.
-----------------------------------------------------------------
Daniel Senie dts@senie.com
Amaranth Networks Inc. http://www.amaranth.com
