Using NBAR to block Nimda
-----BEGIN PGP SIGNED MESSAGE----- Does anyone have a comprehensive filter to stop Nimda using Cisco's NBAR? Matt __________________________ http://www.invision.net/ _______________________ Matthew E. Martini, PE InVision.com, Inc. (631) 543-1000 x104 Chief Technology Officer matt@invision.net (631) 864-8896 Fax _______________________________________________________________________pgp_ -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.1i iQEVAwUBO6ke4GtXn16/JS7ZAQEUoAgAjvwY/fnoJmtmMke03I8uOIxDNUzGqX+e sP5L9Fcekg4qKF7Jix4dW+Hk+jZuwp0cSHwRsiGswqIHgHZVjRjliMD4QTjDO4FU vYUSKM4nedZhTBjIDlMp3AT9BfLjI1pV1tzYbo2L8otMGdeO3Iv/Ymd+LGZx22Fl eNvIOE+LzfipupFcA12AXstJvTH9QZ4Vuzap7ckxzA5NrTXtWphhjiLX0gKqlTsc aXp/oL/UfzMps7LiF+my2OsKCBIjyA+mLon0qdS5vs8rGtuES3wADmX/sDF8wuhr 9LFpI2VmM5JcrjwwEZIfc5Iq6M4h0so3nfwJDyBh0x5cDlDNimWH6w== =+Ucd -----END PGP SIGNATURE-----
Matt, Look at the following two URLs and then combine the config: http://www.cisco.com/warp/customer/63/nimda.shtml http://www.cisco.com/warp/customer/63/nbar_acl_codered.shtml Alex Yeung
-----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu]On Behalf Of Matt Martini Sent: Wednesday, September 19, 2001 3:41 PM To: nanog@merit.edu Subject: Using NBAR to block Nimda
-----BEGIN PGP SIGNED MESSAGE-----
Does anyone have a comprehensive filter to stop Nimda using Cisco's NBAR?
Matt
__________________________ http://www.invision.net/ _______________________
Matthew E. Martini, PE InVision.com, Inc. (631) 543-1000 x104 Chief Technology Officer matt@invision.net (631) 864-8896 Fax _______________________________________________________________________pgp_
-----BEGIN PGP SIGNATURE----- Version: PGP 6.5.1i
iQEVAwUBO6ke4GtXn16/JS7ZAQEUoAgAjvwY/fnoJmtmMke03I8uOIxDNUzGqX+e sP5L9Fcekg4qKF7Jix4dW+Hk+jZuwp0cSHwRsiGswqIHgHZVjRjliMD4QTjDO4FU vYUSKM4nedZhTBjIDlMp3AT9BfLjI1pV1tzYbo2L8otMGdeO3Iv/Ymd+LGZx22Fl eNvIOE+LzfipupFcA12AXstJvTH9QZ4Vuzap7ckxzA5NrTXtWphhjiLX0gKqlTsc aXp/oL/UfzMps7LiF+my2OsKCBIjyA+mLon0qdS5vs8rGtuES3wADmX/sDF8wuhr 9LFpI2VmM5JcrjwwEZIfc5Iq6M4h0so3nfwJDyBh0x5cDlDNimWH6w== =+Ucd -----END PGP SIGNATURE-----
On Wed, 19 Sep 2001, Alex Yeung wrote:
Look at the following two URLs and then combine the config: http://www.cisco.com/warp/customer/63/nimda.shtml http://www.cisco.com/warp/customer/63/nbar_acl_codered.shtml
cco login required, thanks anyway -- [-] Omae no subete no kichi wa ore no mono da. [-]
replace "customer" with "public" Adi On Wed, Sep 19, 2001 at 04:16:59PM -0700, Dan Hollis wrote:
On Wed, 19 Sep 2001, Alex Yeung wrote:
Look at the following two URLs and then combine the config: http://www.cisco.com/warp/customer/63/nimda.shtml http://www.cisco.com/warp/customer/63/nbar_acl_codered.shtml
cco login required, thanks anyway
-- [-] Omae no subete no kichi wa ore no mono da. [-]
Replacing the word "customer" with "public" usually fixes that... ----- Original Message ----- From: "Dan Hollis" <goemon@anime.net> To: "Alex Yeung" <alyeung@cisco.com> Cc: "Matthew E. Martini" <martini@invision.net>; <nanog@merit.edu> Sent: Wednesday, September 19, 2001 7:16 PM Subject: RE: Using NBAR to block Nimda
On Wed, 19 Sep 2001, Alex Yeung wrote:
Look at the following two URLs and then combine the config: http://www.cisco.com/warp/customer/63/nimda.shtml http://www.cisco.com/warp/customer/63/nbar_acl_codered.shtml
cco login required, thanks anyway
-- [-] Omae no subete no kichi wa ore no mono da. [-]
] > http://www.cisco.com/warp/customer/63/nimda.shtml ] > http://www.cisco.com/warp/customer/63/nbar_acl_codered.shtml ] ] cco login required, thanks anyway Try the non-CCO versions here: http://www.cisco.com/warp/public/63/nimda.shtml http://www.cisco.com/warp/public/63/nbar_acl_codered.shtml -- Rob Thomas http://www.cymru.com/~robt cmn_err(CE_PANIC, "Out of coffee...");
The basics of using NBAR as an IDS can be found here: http://iponeverything.net/CodeRed.html The page above is specifically for Code Red, but the same technique can be used for blocking many different exploits. Just modify the class map as you like to block Nimda or anything else. Randy ----- Original Message ----- From: "Dan Hollis" <goemon@anime.net> To: "Alex Yeung" <alyeung@cisco.com> Cc: "Matthew E. Martini" <martini@invision.net>; <nanog@merit.edu> Sent: Wednesday, September 19, 2001 7:16 PM Subject: RE: Using NBAR to block Nimda
On Wed, 19 Sep 2001, Alex Yeung wrote:
Look at the following two URLs and then combine the config: http://www.cisco.com/warp/customer/63/nimda.shtml http://www.cisco.com/warp/customer/63/nbar_acl_codered.shtml
cco login required, thanks anyway
-- [-] Omae no subete no kichi wa ore no mono da. [-]
At 10:25 PM 9/19/01, Randy Benn wrote:
The basics of using NBAR as an IDS can be found here: http://iponeverything.net/CodeRed.html
The page above is specifically for Code Red, but the same technique can be used for blocking many different exploits. Just modify the class map as you like to block Nimda or anything else.
I'm presently running using the policy map config example, and having some real problems. While the traffic is no longer getting to the servers, the servers wind up with massive quantities of open TCP sessions. These take long enough to die that Apache winds up maxing out on processes. Two possible alternative approaches that I'd like to explore: 1. Some mechanism that builds on the present stuff, but sends a TCP RST off to the web server to get the TCP session terminated. 2. Alternative approach: use the timed access lists to place a temporary filter rule into the input filter for any IP address which matches on URL. This would protect the servers better, in that it'd block the TCP connections (after the first one) from a server entirely. This wasn't an issue really for CodeRed, but is a major issue for nimda, since it opens many connections. If anyone has insight on how to implement either of these, I'd like to hear about it. ----------------------------------------------------------------- Daniel Senie dts@senie.com Amaranth Networks Inc. http://www.amaranth.com
I've been collecting the blocking info from today and yesterday's nanog onto a page: http://kgate.virtual.net/cgi-bin/wiki.cgi?action=Browse&id=NIMDAWormBlocking So far: snort Squid ipfw ruby script procmail rulesets F5 Big IP Nortel/Alteon topology trap Cisco NBAR Cisco CSS11K, Cisco Content Engine apache (updated w/mod_throttle info) iptable deny SRC Matt Martini wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Does anyone have a comprehensive filter to stop Nimda using Cisco's NBAR?
Matt
__________________________ http://www.invision.net/ _______________________
Matthew E. Martini, PE InVision.com, Inc. (631) 543-1000 x104 Chief Technology Officer matt@invision.net (631) 864-8896 Fax _______________________________________________________________________pgp_
-----BEGIN PGP SIGNATURE----- Version: PGP 6.5.1i
iQEVAwUBO6ke4GtXn16/JS7ZAQEUoAgAjvwY/fnoJmtmMke03I8uOIxDNUzGqX+e sP5L9Fcekg4qKF7Jix4dW+Hk+jZuwp0cSHwRsiGswqIHgHZVjRjliMD4QTjDO4FU vYUSKM4nedZhTBjIDlMp3AT9BfLjI1pV1tzYbo2L8otMGdeO3Iv/Ymd+LGZx22Fl eNvIOE+LzfipupFcA12AXstJvTH9QZ4Vuzap7ckxzA5NrTXtWphhjiLX0gKqlTsc aXp/oL/UfzMps7LiF+my2OsKCBIjyA+mLon0qdS5vs8rGtuES3wADmX/sDF8wuhr 9LFpI2VmM5JcrjwwEZIfc5Iq6M4h0so3nfwJDyBh0x5cDlDNimWH6w== =+Ucd -----END PGP SIGNATURE-----
-- ======================================================================== Strata Rose Chalup [KF6NBZ] strata "@" virtual.net VirtualNet Consulting http://www.virtual.net/ ** Project Management & Architecture for ISP/ASP Systems Integration ** =========================================================================
participants (9)
-
Alex Yeung
-
Andrew Metcalf
-
Dan Hollis
-
Daniel Senie
-
Matt Martini
-
R.P. Aditya
-
Randy Benn
-
Rob Thomas
-
Strata Rose Chalup