[unisog] Code Red Filter

Anderson Johnston andy at umbc.edu
Thu Aug 2 18:36:22 GMT 2001


Just for the record, Mark reports an estimated 1,447,060 probes on today's
report.  We're working on a somewhat more condensed reporting format.

						- Andy

On Wed, 1 Aug 2001, Mark Cather wrote:

> In case anyone is looking for a way to filter out Code Red...
>
> We are using a Cacheflow web cache to filter out Code Red attacks.
> Cisco's WCCP protocol is allowing us to transparently redirect all
> inbound and outbound port 80 traffic through our web cache.  With the
> following local filter entry on the cache engine:
>
> http://.*/.*default.ida.* service=no
>
> all Code Red probes are being dropped.
>
> The filter listed dropped 494 probes last night (8pm - 9am).  Over the
> last hour (9pm - 10pm Eastern), I am averaging about 36 probes per
> minute.
>
> Another nice thing about using a web cache to filter out Code Red is
> that you get squid format logs of each probe attempt.  These logs
> include who probed and exactly when they probed (campus-wide).
>
> If anyone knows of Code Red variant that won't be caught by this filter,
> please let me know.
>
> FYI,
>
> Mark Cather
> Coordinator of Network Engineering
> OIT / UMBC
>

------------------------------------------------------------------------------
** Andy Johnston (andy at umbc.edu)          *            pager: 410-678-8949  **
** Distributed Systems Manager            * PGP key:(afj2000) 1024/F67035E1 **
** Office of Information Technology, UMBC *        5D 44 1E 2E A6 7C 91 7A  **
** 410-455-2583 (v)/410-455-1065 (f)      *        C4 66 5F D5 BA B9 F6 58  **
------------------------------------------------------------------------------



More information about the unisog mailing list