Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Code Red Infection – ACL to Block????

I have configured my router with the following configuration to block Code Red Worm which I referred to Cisco Security advisor but I still have problem on Code Red Worm coming in to my server.

I also have some doubt on should this ACL block procedure is correct.

a. Since the very first line of the ACL is to allow www service this already allow the Worm to attack the Web server and the last line of ACL has no effect to the Code Red.

Some one please help. Is my configuration wrong.

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

class-map match-any http-hacks

match protocol http url "*default.ida*"

match protocol http url "*x.ida*"

match protocol http url "*.ida*"

match protocol http url "*cmd.exe*"

match protocol http url "*root.exe*"

!

!

policy-map mark-inbound-http-hacks

class http-hacks

set ip dscp 1

!

!

access-list 100 permit tcp any gt 1023 host 205.131.39.10 eq www log

access-list 100 permit tcp any gt 1023 host 205.131.39.10 eq 443 log

:

:

access-list 100 permit tcp ......

access-list 100 deny ip any any dscp 1 log

interface Serial0/0

description Standby Internet Router

bandwidth 2000

ip address 151.121.92.186 255.255.255.252

ip access-group 100 in

no ip mroute-cache

service-policy input mark-inbound-http-hacks

no cdp enable

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

Urgent Help please!

7 REPLIES
Bronze

Re: Code Red Infection – ACL to Block????

Looking at your config, it looks like you’ve followed the instructions in http://www.cisco.com/warp/public/63/nbar_acl_codered.shtml pretty carefully. I assume your IIS servers are patched now but the worm advertised your host as infected. What platform and IOS software version are you running? Is this the only entry-point to your network?

New Member

Re: Code Red Infection – ACL to Block????

What do you mean that the worm advertised your host as infected.

Yes, we have already pathched the IIS.

My IOS is 12.1(5)T8.

I think my access-list should be :

access-list 100 deny ip any any dscp 1 log

access-list 100 permit tcp any gt 1023 host 205.131.39.10 eq www log

:

:

access-list 100 permit tcp ......

:

The statement "access-list 100 deny ip any any dscp 1 log" should be infront of the "access-list 100 permit tcp any gt 1023 host 205.131.39.10 eq www log"

Thanks

New Member

Re: Code Red Infection – ACL to Block????

The last line of ACL should place before access-list 100 permit tcp any gt 1023 host 205.131.39.10 eq www log.

The ACL should look like this:

access-list 100 deny ip any any dscp 1 log

access-list 100 permit tcp any gt 1023 host 205.131.39.10 eq www log

This procedures seem to be able to block the Code Red worm but it seem that it does not indicate the number of Code Red worm attacked by using show access-list 100 (look for the number of match at the back of show access-list 100)

Some far I have no indication of how many Code Red worm attacked even if I try to use web browser to simulate the worm from the internet.

Appreciate if some one can let me know why it is so.

or what should I do from here.

New Member

Re: Code Red Infection – ACL to Block????

This is what your ACL should look like to effectively block the code red worm:

version 12.2

!

hostname R4

!

class-map match-any code-red

match protocol http url "*default.ida*"

match protocol http url "*x.ida*"

match protocol http url "*.ida*"

match protocol http url "*cmd.exe*"

match protocol http url "*root.exe*"

!

!

policy-map mark-inbound-code-red

class code-red

set ip dscp 1

!

interface Ethernet0/0

description Outside

ip address 54.254.1.12 255.255.255.0

service-policy input mark-inbound-code-red

!

interface Ethernet0/1

description Inside

ip address 161.12.64.4 255.255.254.0

ip access-group 150 out

!

access-list 150 deny ip any any dscp 1 log

access-list 150 permit ip any any

of course replace these test ip address's with the ones on your network.

New Member

Re: Code Red Infection – ACL to Block????

Thanks for help.

I notices that you place the “service-policy input mark-inbound-code-red” in the outside interface and used the ACL in the inside interface.

What I am trying to do is apply the ACL in the outside interface and block incoming Code Red traffic. The intention is to block Code-Red at the outside interface.

Both my “service-policy input mark-inbound-code-red” and ACL is apply in the outside interface and “ip access-group 100 in”.

New Member

Re: Code Red Infection – ACL to Block????

Still Fail to Blocking Code Red worm

Below is my final config that Follow the recommendation from Cisco web site but it seem not able to block the worm. The IDS still detecting the worm.

The different between this config and the recommendation is that I have additional ACL 101 applied in the ingress interfaces.

Can someone help on this?

*************************************************

!

class-map match-any http-hacks

match protocol http url "*default.ida*"

match protocol http url "*x.ida*"

match protocol http url "*.ida*"

match protocol http url "*cmd.exe*"

match protocol http url "*root.exe*"

!

policy-map mark-inbound-http-hacks

class http-hacks

set ip dscp 1

!

interface Ethernet0/0

ip address 205.120.92.1 255.255.255.0

ip access-group 110 out

no ip redirects

!

interface Serial0/0

ip address 155.91.92.86 255.255.255.0

ip access-group 101 in

ip accounting output-packets

ip route-cache flow

no ip mroute-cache

service-policy input mark-inbound-http-hacks

!

interface Serial0/1

description Standby Internet Router

ip address 155.91.91.90 255.255.255.0

ip access-group 101 in

ip route-cache flow

service-policy input mark-inbound-http-hacks

no fair-queue

!

!

access-list 101 deny ip any any dscp 1 log

access-list 101 permit tcp any gt 1023 host 205.120.92.99 eq www log

access-list 101 deny ip any any log

access-list 110 deny ip any any dscp 1 log

access-list 110 permit ip any any

!

****************************************************

New Member

Re: Code Red Infection – ACL to Block????

Hi,

Any help out there?

With a careful follow closely with the recommendation from Cisco web site I am still detecting CodeRed Worm in my network.

From the command below I can observed that there are matches on the worm signature but it does not drop the packets. Some thing is not right.

sh intrt01#sh access-lists 110

Extended IP access list 110

deny ip any any dscp 1 log (51 matches)

permit ip any any (119076 matches)

intrt01#

I can see that there is 51 match in policy-map in interfaces s0/0.

intrt01#sh policy-map interface s0/0

Serial0/0

Service-policy input: mark-inbound-http-hacks (1209)

Class-map: http-hacks (match-any) (1211/2)

246 packets, 20078 bytes

5 minute offered rate 0 bps, drop rate 0 bps

Match: protocol http url "*default.ida*" (1215)

0 packets, 0 bytes

5 minute rate 0 bps

Match: protocol http url "*x.ida*" (1219)

0 packets, 0 bytes

5 minute rate 0 bps

Match: protocol http url "*.ida*" (1223)

0 packets, 0 bytes

5 minute rate 0 bps

Match: protocol http url "*cmd.exe*" (1227)

199 packets, 16670 bytes

5 minute rate 0 bps

Match: protocol http url "*root.exe*" (1231)

47 packets, 3408 bytes

5 minute rate 0 bps

Match: protocol http url "*readme.eml*" (1235)

0 packets, 0 bytes

5 minute rate 0 bps

QoS Set

ip dscp 1

Packets marked 51

144
Views
0
Helpful
7
Replies