Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
774
Views
0
Helpful
7
Replies

Code Red Infection – ACL to Block????

wanab
Level 1
Level 1

‎08-19-2001 08:05 PM - edited ‎02-20-2020 09:15 PM

I have configured my router with the following configuration to block Code Red Worm which I referred to Cisco Security advisor but I still have problem on Code Red Worm coming in to my server.

I also have some doubt on should this ACL block procedure is correct.

a. Since the very first line of the ACL is to allow www service this already allow the Worm to attack the Web server and the last line of ACL has no effect to the Code Red.

Some one please help. Is my configuration wrong.

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

class-map match-any http-hacks

match protocol http url "*default.ida*"

match protocol http url "*x.ida*"

match protocol http url "*.ida*"

match protocol http url "*cmd.exe*"

match protocol http url "*root.exe*"

!

!

policy-map mark-inbound-http-hacks

class http-hacks

set ip dscp 1

!

!

access-list 100 permit tcp any gt 1023 host 205.131.39.10 eq www log

access-list 100 permit tcp any gt 1023 host 205.131.39.10 eq 443 log

:

:

access-list 100 permit tcp ......

access-list 100 deny ip any any dscp 1 log

interface Serial0/0

description Standby Internet Router

bandwidth 2000

ip address 151.121.92.186 255.255.255.252

ip access-group 100 in

no ip mroute-cache

service-policy input mark-inbound-http-hacks

no cdp enable

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

Urgent Help please!

Labels:
0 Helpful
7 Replies 7

beth-martin
Level 5
Level 5

‎08-24-2001 07:15 AM

Looking at your config, it looks like you’ve followed the instructions in http://www.cisco.com/warp/public/63/nbar_acl_codered.shtml pretty carefully. I assume your IIS servers are patched now but the worm advertised your host as infected. What platform and IOS software version are you running? Is this the only entry-point to your network?

0 Helpful

wanab
Level 1
Level 1
In response to beth-martin

‎08-26-2001 07:10 PM

What do you mean that the worm advertised your host as infected.

Yes, we have already pathched the IIS.

My IOS is 12.1(5)T8.

I think my access-list should be :

access-list 100 deny ip any any dscp 1 log

access-list 100 permit tcp any gt 1023 host 205.131.39.10 eq www log

:

:

access-list 100 permit tcp ......

:

The statement "access-list 100 deny ip any any dscp 1 log" should be infront of the "access-list 100 permit tcp any gt 1023 host 205.131.39.10 eq www log"

Thanks

0 Helpful

wanab
Level 1
Level 1

‎09-10-2001 11:50 PM

The last line of ACL should place before access-list 100 permit tcp any gt 1023 host 205.131.39.10 eq www log.

The ACL should look like this:

access-list 100 deny ip any any dscp 1 log

access-list 100 permit tcp any gt 1023 host 205.131.39.10 eq www log

This procedures seem to be able to block the Code Red worm but it seem that it does not indicate the number of Code Red worm attacked by using show access-list 100 (look for the number of match at the back of show access-list 100)

Some far I have no indication of how many Code Red worm attacked even if I try to use web browser to simulate the worm from the internet.

Appreciate if some one can let me know why it is so.

or what should I do from here.

0 Helpful

wvaux
Level 1
Level 1

‎09-13-2001 06:57 AM

This is what your ACL should look like to effectively block the code red worm:

version 12.2

!

hostname R4

!

class-map match-any code-red

match protocol http url "*default.ida*"

match protocol http url "*x.ida*"

match protocol http url "*.ida*"

match protocol http url "*cmd.exe*"

match protocol http url "*root.exe*"

!

!

policy-map mark-inbound-code-red

class code-red

set ip dscp 1

!

interface Ethernet0/0

description Outside

ip address 54.254.1.12 255.255.255.0

service-policy input mark-inbound-code-red

!

interface Ethernet0/1

description Inside

ip address 161.12.64.4 255.255.254.0

ip access-group 150 out

!

access-list 150 deny ip any any dscp 1 log

access-list 150 permit ip any any

of course replace these test ip address's with the ones on your network.

0 Helpful

wanab
Level 1
Level 1
In response to wvaux

‎09-13-2001 07:49 PM

Thanks for help.

I notices that you place the “service-policy input mark-inbound-code-red” in the outside interface and used the ACL in the inside interface.

What I am trying to do is apply the ACL in the outside interface and block incoming Code Red traffic. The intention is to block Code-Red at the outside interface.

Both my “service-policy input mark-inbound-code-red” and ACL is apply in the outside interface and “ip access-group 100 in”.

0 Helpful

wanab
Level 1
Level 1
In response to wanab

‎09-17-2001 12:08 AM

Still Fail to Blocking Code Red worm

Below is my final config that Follow the recommendation from Cisco web site but it seem not able to block the worm. The IDS still detecting the worm.

The different between this config and the recommendation is that I have additional ACL 101 applied in the ingress interfaces.

Can someone help on this?

*************************************************

!

class-map match-any http-hacks

match protocol http url "*default.ida*"

match protocol http url "*x.ida*"

match protocol http url "*.ida*"

match protocol http url "*cmd.exe*"

match protocol http url "*root.exe*"

!

policy-map mark-inbound-http-hacks

class http-hacks

set ip dscp 1

!

interface Ethernet0/0

ip address 205.120.92.1 255.255.255.0

ip access-group 110 out

no ip redirects

!

interface Serial0/0

ip address 155.91.92.86 255.255.255.0

ip access-group 101 in

ip accounting output-packets

ip route-cache flow

no ip mroute-cache

service-policy input mark-inbound-http-hacks

!

interface Serial0/1

description Standby Internet Router

ip address 155.91.91.90 255.255.255.0

ip access-group 101 in

ip route-cache flow

service-policy input mark-inbound-http-hacks

no fair-queue

!

!

access-list 101 deny ip any any dscp 1 log

access-list 101 permit tcp any gt 1023 host 205.120.92.99 eq www log

access-list 101 deny ip any any log

access-list 110 deny ip any any dscp 1 log

access-list 110 permit ip any any

!

****************************************************

0 Helpful

wanab
Level 1
Level 1
In response to wanab

‎10-16-2001 11:33 PM

Hi,

Any help out there?

With a careful follow closely with the recommendation from Cisco web site I am still detecting CodeRed Worm in my network.

From the command below I can observed that there are matches on the worm signature but it does not drop the packets. Some thing is not right.

sh intrt01#sh access-lists 110

Extended IP access list 110

deny ip any any dscp 1 log (51 matches)

permit ip any any (119076 matches)

intrt01#

I can see that there is 51 match in policy-map in interfaces s0/0.

intrt01#sh policy-map interface s0/0

Serial0/0

Service-policy input: mark-inbound-http-hacks (1209)

Class-map: http-hacks (match-any) (1211/2)

246 packets, 20078 bytes

5 minute offered rate 0 bps, drop rate 0 bps

Match: protocol http url "*default.ida*" (1215)

0 packets, 0 bytes

5 minute rate 0 bps

Match: protocol http url "*x.ida*" (1219)

0 packets, 0 bytes

5 minute rate 0 bps

Match: protocol http url "*.ida*" (1223)

0 packets, 0 bytes

5 minute rate 0 bps

Match: protocol http url "*cmd.exe*" (1227)

199 packets, 16670 bytes

5 minute rate 0 bps

Match: protocol http url "*root.exe*" (1231)

47 packets, 3408 bytes

5 minute rate 0 bps

Match: protocol http url "*readme.eml*" (1235)

0 packets, 0 bytes

5 minute rate 0 bps

QoS Set

ip dscp 1

Packets marked 51

0 Helpful
Customers Also Viewed These Support Documents