Precautions against Code Red

Anderson Johnston andy at umbc.edu
Tue Jul 31 19:52:23 GMT 2001



Getting ready for 0 UTC ...

-	IDS has rules for detecting requests with ".ida?" to port 80, inbound or
	outbound, with or without size constraints.

-	IDS has rules logging tcp, udp and icmp traffic to whitehouse IP
	targeted by Code Red.

-	Webcache is filtering incoming and outgoing port 80 requests for strint
	"default.ida" and rejecting them.  It's also generating a daily report of
	the rejects.

-	Mini-honeypots (netcat) set up on IP's purposely left out of webcache
	filtering.

-	Running a second scan for vulnerable hosts to see how first round of
	patches went.


I anyone can think of a last-minute preparation I'm missing, please let me
know.  This is good practice for the next, meaner, nastier version.

------------------------------------------------------------------------------
** Andy Johnston (andy at umbc.edu)          *            pager: 410-678-8949  **
** Distributed Systems Manager            * PGP key:(afj2000) 1024/F67035E1 **
** Office of Information Technology, UMBC *        5D 44 1E 2E A6 7C 91 7A  **
** 410-455-2583 (v)/410-455-1065 (f)      *        C4 66 5F D5 BA B9 F6 58  **
------------------------------------------------------------------------------




More information about the unisog mailing list