Summary: Blocking nimda probes with a content-layer switch
Joe Abley
jabley at automagic.org
Wed Sep 19 17:44:57 UTC 2001
Summary of suggested comments on defeating nimda probes follows.
Lincoln Dale's comments were cc'd to the list, but I've included
fragments here anyway just to keep them together with the other
bits.
Thanks!
Three people suggested using NBAR on cisco routers, along these
lines:
http://www.cisco.com/warp/public/63/nbar_acl_codered.shtml
One person suggested the following config fragment for F5's Big/IP
switches:
rule block_nimda {
if (http_uri starts_with "/scripts" or http_uri contains "root.exe") {
discard
}
else {
use ( server_pool)
}
}
with the proviso that adjustments might be required of those url
patterns are too general for your purposes. Users of Big/IP
versions prior to 4.0 (which don't support "discards" can
route the connections to a dummy pool.
One person was using a Nortel/Alteon switch to redirect all
traffic to a cacheflow client accelerator, then using pattern
matching on the cacheflow box to prevent the traffic reaching
the origin servers.
Lincoln suggested the following for the cisco Content Engine
and Content Services Switch:
Cisco Content Engine:
rule enable
rule block url-regex http://.*/cmd\.exe
rule block url-regex http://.*/root\.exe
Cisco CSS11K (Content Services switch):
service dummy
ip address 10.1.1.1
keepalive type none
active
!
header-field-group cmd.exe
header-field cmd.exe request-line contain "cmd.exe"
header-field-group root.exe
header-field root.exe request-line contain "root.exe"
!
content block_cmd.exe
protocol tcp
port 80
url "/*"
header-field-rule cmd.exe
add service dummy
active
content block_root.exe
protocol tcp
port 80
url "/*"
header-field-rule root.exe
add service dummy
active
Lincoln also pointed out that the CSS and CE configs above will
prevent the client's TCP SYN from reaching the server (the devices
will accept the TCP sessions and receive the HTTP headers before
deciding whether to pass them on to the servers). NBAR will only
match the HTTP headers on TCP sessions that successfully establish
a TCP session with the server ("delayed binding").
More information about the NANOG
mailing list