[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[cobalt-security] Re: Code Red Countermeasures [WAS: RE: Code Red Special Effects]
- Subject: [cobalt-security] Re: Code Red Countermeasures [WAS: RE: Code Red Special Effects]
- From: "Michael J. Cannon" <mcannon@xxxxxxxxxxxxxx>
- Date: Thu, 9 Aug 2001 00:50:05 -0500
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
Kevin,
RE; stealthed ports: a popular idiomatic (and shorter) way of saying: Set
up ipfilters, ipchains or other firewall rules to drop and not acknowledge
port scans, when they fall within certain rulesets, well established by
knowledgable security professionals." Stealth, is 'DENY (or DROP)' vs.
'REJECT (or RETURN)' in the Policy def in the rulesets for each port and/or
protocol.
RE: redirect: Use the port redirection within Linux. Set up services on
unnmapped and infrequently used ports, and then remap them to listen through
a filter to the more customary ones. Redirect all traffic destined for
ports on your machines that violate certain of your rulesets to the bit
bucket. This also helps you to not run any Linux boot services that use
TCP/IP or other network protocols as root.
RE: "hook" a 'probe' The current problems (including w/ Qwest DSL modems
and Cisco routers, as well as the so-called 'transparent proxies') we are
having with Code Red and its variants are because of the 'probes' initiated
by infected machines to spread the infection. They consist of malformed or
otherwise non-standard packets, forwarded as requests to various and sundry
network ports on our machines. There is a timeout value, based on the
'species' of probe (it's protocol, framestate, frame and other makeup,
traffic and info package, frequency of repitition, port and protocol it is
carried on from the infected machine and thence over the network and to
addresses on the target, etc.). Interesting things can be done if the
'probe' is recognized as abnormal and probably malevolent, and different
behavior by the targetted host is initiated at the protocol level. Hogwash
operates somewhat in this way and there is an interesting rchains script on
various bulletin boards that essentially stretches out the attack to
unmanageable levels from the standpoint of the attacker. This is
accomplished by filtering at the proxy, using webcache (if included) on the
router (Cisco's WCCP protocol and Cacheflow), One of the URLs is Tom
Liston's original idea for the 'hook' or slowdown at:
http://www.incidents.org/archives/intrusions/msg01215.html
the all-important validation by Mihnea Stonescu at
http://www.incidents.org/archives/intrusions/msg01239.html
and Tom's "Code Redneck" tool, found at
http://www.hackbusters.net/CodeRedneck.tgz
with an explanation at
http://www.incidents.org/diary/august2001.php
Remember:
"Si vis pacem, para bellum."
Mike