[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[cobalt-security] Re: Code Red Countermeasures [WAS: RE: Code Red Special Effects]

Subject: [cobalt-security] Re: Code Red Countermeasures [WAS: RE: Code Red Special Effects]
From: "Michael J. Cannon" <mcannon@xxxxxxxxxxxxxx>
Date: Thu, 9 Aug 2001 00:50:05 -0500
List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>

Kevin,

RE; stealthed ports:  a popular idiomatic (and shorter) way of saying:  Set
up ipfilters, ipchains or other firewall rules to drop and not acknowledge
port scans, when they fall within certain rulesets, well established by
knowledgable security professionals."  Stealth, is 'DENY (or DROP)' vs.
'REJECT (or RETURN)' in the Policy def in the rulesets for each port and/or
protocol.

RE:  redirect:  Use the port redirection within Linux.  Set up services on
unnmapped and infrequently used ports, and then remap them to listen through
a filter to the more customary ones.  Redirect all traffic destined for
ports on your machines that violate certain of your rulesets to the bit
bucket.  This also helps you to not run any Linux boot services that use
TCP/IP or other network protocols as root.

RE:  "hook" a 'probe'  The current problems (including w/ Qwest DSL modems
and Cisco routers, as well as the so-called 'transparent proxies') we are
having with Code Red and its variants are because of the 'probes' initiated
by infected machines to spread the infection.  They consist of malformed or
otherwise non-standard packets, forwarded as requests to various and sundry
network ports on our machines.  There is a timeout value, based on the
'species' of probe (it's protocol, framestate, frame and other makeup,
traffic and info package, frequency of repitition, port and protocol it is
carried on from the infected machine and thence over the network and to
addresses on the target, etc.).  Interesting things can be done if the
'probe' is recognized as abnormal and probably malevolent, and different
behavior by the targetted host is initiated at the protocol level.  Hogwash
operates somewhat in this way and there is an interesting rchains script on
various bulletin boards that essentially stretches out the attack to
unmanageable levels from the standpoint of the attacker.  This is
accomplished by filtering at the proxy, using webcache (if included) on the
router (Cisco's WCCP protocol and Cacheflow),   One of the URLs is Tom
Liston's original idea for the 'hook' or slowdown at:

http://www.incidents.org/archives/intrusions/msg01215.html

the all-important validation by Mihnea Stonescu at

http://www.incidents.org/archives/intrusions/msg01239.html

and Tom's "Code Redneck" tool, found at

http://www.hackbusters.net/CodeRedneck.tgz

with an explanation at

http://www.incidents.org/diary/august2001.php

Remember:
"Si vis pacem, para bellum."

Mike

Follow-Ups:
- Re: [cobalt-security] Re: Code Red Countermeasures [WAS: RE: Code Red Special Effects]
  - From: Kevin D

Prev by Date: [cobalt-security] Re: Frontpage and ChiliSoft Vulns [WAS: Code Red Special Effects]
Next by Date: [cobalt-security] RE: Gareth's NT and FrontPage note and the Sun Response WRT FrontPage
Previous by thread: Re: [cobalt-security] Re: Frontpage and ChiliSoft Vulns [WAS: Code Red Special Effects]
Next by thread: Re: [cobalt-security] Re: Code Red Countermeasures [WAS: RE: Code Red Special Effects]

Sun Cobalt Security Message Index

Sun Cobalt Security Thread Index