Security Incidents mailing list archives
Re: "Nimda"?
From: John.Swarbrick () pnl co uk
Date: Wed, 27 Feb 2002 17:03:44 +0000
There's no way to stop the requests coming in, as you have no idea where to expect them from. You can blackhole or deny hosts as you find their IPs, but I get hit from all over the net, all day, every day.
Although I dont use these methods myself, there are ways to filter Nimda (and similar signatures) before they reach your servers. These options are best deployed in situations when your bandwidth may be limited, for example in small to medium sized companies to maximise usage of links for 'official' business. Bear in mind though, that these methods will use up cpu cycles and other resources on the hardware performing the filtering, and of course they would need to be implemented at the ISP's end of the link. These are just examples, which can be modified to match any signatures, for example Nimda: 1. Use Cisco Network-based application recognition (NBAR) to filter readme.eml files from being downloaded. Here's an example for configuring NBAR: Router(config)#class-map match-any http-hacks Router(config-cmap)#match protocol http url "*cmd.exe*" Once you have matched the traffic, you can choose to discard or Policy Based Route the traffic to monitor infected hosts. 2. Using IPTables (v1.2.3 or higher) $IPTABLES -I INPUT -p tcp --dport 80 -m string --string .exe? \ -mstate --state ESTABLISHED -j REJECT --reject-with tcp-reset Best regards, John Swarbrick Senior Linux Engineer Phoenix Networks Ltd Phone: 01332 680000 Email: john.swarbrick () pnl co uk Web: http://www.pnl.co.uk ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- "Nimda"? Bradley, Tony (Feb 26)
- Re: "Nimda"? Eric Brandwine (Feb 27)
- Re: "Nimda"? Devdas Bhagat (Feb 27)
- Re: "Nimda"? Jay D. Dyson (Feb 27)
- Re: "Nimda"? Greg A. Woods (Feb 27)
- <Possible follow-ups>
- RE: "Nimda"? Doug Harold (Feb 27)
- Re: "Nimda"? Joshua_Hiller (Feb 27)
- Re: "Nimda"? John . Swarbrick (Feb 27)
- RE: "Nimda"? McCammon, Keith (Feb 27)
- Re: "Nimda"? Greg Williamson (Feb 28)
- Re: "Nimda"? Jay D. Dyson (Feb 28)
- Question sherman.hand (Feb 28)
- Re: Question Valdis . Kletnieks (Feb 28)
- Re: "Nimda"? Nick FitzGerald (Feb 28)
- Re: "Nimda"? Greg Williamson (Feb 28)