> Has anyone else tried this? What's the potential downside?
> I tried in on several machines and the log entries for Code
> Red attempts went from about 1 per minute down to zero.
We've been using host header names for quite some time, though not
specifically as a security measure. It forces the browser to provide an HTTP
Host header to identify the from which FQDN it's requesting. This allows you
to bind multiple virtual servers to a single IP address (which is why we use
it).
Using host header names will prevent your web server from handling requests
that don't specify the host in the HTTP header; worm-based attacks generally
fall into this category. For other attacks, though, it's pretty trivial to
write a script that performs a reverse DNS lookup, then takes the returned
FQDN value and puts that in the HTTP Host header, so it's not much of a
security measure by itself - security through obscurity.
There are two points worth noting. First, your IIS server is still receiving
the requests - it's just not logging those requests, since it doesn't have a
virtual server which will accept the requests. Second, I wouldn't be
surprised to see reverse DNS lookups and use of host headers in future Code
Red-type worms.
Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
voice: (202) 797-5496
fax: (202) 797-5444
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Structure your ColdFusion code with Fusebox. Get the official book at
http://www.fusionauthority.com/bkinfo.cfm
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq
Archives: http://www.mail-archive.com/[email protected]/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
