Re: Code Red ! [7:16950]

Allen May Fri, 24 Aug 2001 06:45:10 -0700
Learn to use the search engine on cisco.com.  It's a very valuable tool.
Searching for
+"code red" +block
yielded many results, including this one:
http://www.cisco.com/warp/public/707/cisco-code-red-worm-pub.shtml

Additional Workarounds for Handling "CodeRed" Traffic

Utilize the NBAR feature in supported Cisco IOS Software versions to aid in
"Code Red" traffic identification and mitigation. This is discussed in
detail at http://www.cisco.com/warp/public/63/nbar_acl_codered.shtml  This
workaround is applicable in Cisco IOS Software version 12.1(5)T and later
for many platforms.
Classify inbound Code Red traffic with the class-based marking feature in
IOS.

Router(config)#class-map match-any http-coderedRouter(config-cmap)#match
protocol http url "*default.ida*"Router(config-cmap)#match protocol http url
"*cmd.exe*"Router(config-cmap)#match protocol http url "*root.exe*"
Mark inbound Code Red traffic with a policy map.
Once the inbound traffic has been classified as Code Red, it can be marked
with a specific DSCP. For this example, a decimal value of '1' is used as it
is unlikely that any other traffic would be marked with this DSCP.

Router(config)#policy-map mark-inbound-http-coderedRouter(config-pmap)#class
http-coderedRouter(config-pmap)#set ip dscp 1
Apply the service policy to the 'outside' interface so inbound traffic will
be marked.
Router(config)#int e 0/1Router(config-if)#service-policy input
mark-inbound-http-codered
Block marked Code Red attempts with an ACL. The ACL will match on the DSCP
value of '1' that was marked as the Code Red attempt entered in the box.
Router(config)#access-list 105 deny ip any any dscp 1
logRouter(config)#access-list 105 permit ip any any
Apply it outbound on the 'inside' interface where the target web servers
are.
Router(config)#int e 0/1Router(config-if)#ip access-group 105 out

----- Original Message -----
From: "shella kevin" 
To: 
Sent: Friday, August 24, 2001 6:21 AM
Subject: Re: Code Red ! [7:16950]


> Hey, experts ............ any comments ? I thought i will get some info
> on code red here ..... but looks like nothing !
>
> shella
>
> >From: "shella kevin" >Reply-To: "shella kevin" >To: [EMAIL PROTECTED]
> >Subject: Code Red ! [7:16950] >Date: Thu, 23 Aug 2001 04:55:48 -0400 >
> >I am using cisco7200 series router with Version 12.0(9)S, is there
> >anyway I can stop/block Code Red on router level ? > > > >Any other
> suggestions ? > > > >Thanks > >Shella K. >
> >------------------------------------------------------------------------
> > >Get your FREE download of MSN Explorer at http://explorer.msn.com > >
> misconduct and Nondisclosure violations to [EMAIL PROTECTED]
>
> ------------------------------------------------------------------------
>
> Get your FREE download of MSN Explorer at http://explorer.msn.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=17116&t=16950
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Code Red ! [7:16950]

Reply via email to
