[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[cobalt-users] OT: Block Code Red resource usage on Cobalt servers
- Subject: [cobalt-users] OT: Block Code Red resource usage on Cobalt servers
- From: "Andrew Kinney" <andykinney@xxxxxxxxxxxx>
- Date: Fri Sep 21 03:23:21 2001
- Organization: Advantagecom Networks, Inc.
- List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>
Hello,
Though code red and other similar worms don't infect Cobalt
servers, the little script below (watch out for line wraps - each line
begins with echo or kill) will patch a potential bandwidth denial of
service attack that affects any apache based system.
This morning, a code-red-like worm started scanning port 80 on all
of our systems (nearly all cobalt) for some NT/IIS related files. As
a result of the huge volume of 404 errors, we started having
bandwidth problems and packet processing (high volume of small
packets) issues on our routers and bandwidth managers. After
some digging, we came up with the following partial fix. It reduces
the amount of bytes and packets sent in response to the requests
to the web server generated by these worms. On our network, it
reduced traffic enough that we no longer have packet loss and
significantly reduced the bandwidth usage generated by the worm.
To apply the "patch" (of sorts), telnet into your server and "su" to
root. Then, copy/paste the text into the telnet session. It adds
some directives to the access.conf and rereads the apache config
files.
***Disclaimer:***
Use this at your own risk and expense. Don't ask me about how to
do things or how to use this. In other words, if you don't know what
you're doing (or even if you do), don't send any email to me
directly. I'm supplying this information to be helpful, not to be
inundated with questions and comments about it. If you have a
question or comment, send it to the list - if the list flames you
because of your comment or question, that is also not my problem.
echo '' >> /etc/httpd/conf/access.conf
echo '# deny all the code red related crap' >> /etc/httpd/conf/access.conf
echo '<Location ~ ".*root.exe">' >> /etc/httpd/conf/access.conf
echo 'deny from all' >> /etc/httpd/conf/access.conf
echo 'ErrorDocument 403 " ' >> /etc/httpd/conf/access.conf
echo '</Location>' >> /etc/httpd/conf/access.conf
echo '' >> /etc/httpd/conf/access.conf
echo '<Location ~ ".*cmd.exe">' >> /etc/httpd/conf/access.conf
echo 'deny from all' >> /etc/httpd/conf/access.conf
echo 'ErrorDocument 403 " ' >> /etc/httpd/conf/access.conf
echo '</Location>' >> /etc/httpd/conf/access.conf
echo '' >> /etc/httpd/conf/access.conf
echo '<Location ~ ".*default.ida">' >> /etc/httpd/conf/access.conf
echo 'deny from all' >> /etc/httpd/conf/access.conf
echo 'ErrorDocument 403 " ' >> /etc/httpd/conf/access.conf
echo '</Location>' >> /etc/httpd/conf/access.conf
echo '' >> /etc/httpd/conf/access.conf
kill -HUP `cat /var/run/httpd.pid`
Sincerely,
Andrew Kinney
President and
Chief Technology Officer
Advantagecom Networks, Inc.
http://www.advantagecom.net
509-522-3696, extension 101