Code Red Filter
mark.cather at umbc.edu
Thu Aug 2 02:31:41 GMT 2001
In case anyone is looking for a way to filter out Code Red...
We are using a Cacheflow web cache to filter out Code Red attacks.
Cisco's WCCP protocol is allowing us to transparently redirect all
inbound and outbound port 80 traffic through our web cache. With the
following local filter entry on the cache engine:
all Code Red probes are being dropped.
The filter listed dropped 494 probes last night (8pm - 9am). Over the
last hour (9pm - 10pm Eastern), I am averaging about 36 probes per
Another nice thing about using a web cache to filter out Code Red is
that you get squid format logs of each probe attempt. These logs
include who probed and exactly when they probed (campus-wide).
If anyone knows of Code Red variant that won't be caught by this filter,
please let me know.
Coordinator of Network Engineering
OIT / UMBC
More information about the unisog