Code Red Filter

Mark Cather mark.cather at
Thu Aug 2 02:31:41 GMT 2001

In case anyone is looking for a way to filter out Code Red...

We are using a Cacheflow web cache to filter out Code Red attacks. 
Cisco's WCCP protocol is allowing us to transparently redirect all
inbound and outbound port 80 traffic through our web cache.  With the
following local filter entry on the cache engine: 

http://.*/.*default.ida.* service=no

all Code Red probes are being dropped.  

The filter listed dropped 494 probes last night (8pm - 9am).  Over the
last hour (9pm - 10pm Eastern), I am averaging about 36 probes per

Another nice thing about using a web cache to filter out Code Red is
that you get squid format logs of each probe attempt.  These logs
include who probed and exactly when they probed (campus-wide).

If anyone knows of Code Red variant that won't be caught by this filter,
please let me know.  


Mark Cather
Coordinator of Network Engineering

More information about the unisog mailing list