This document provides information on filtering the Code Red worm on
Cisco Cache and Content Engines.
There are no specific requirements for this document.
This document is not restricted to specific software and hardware
The information in this document was created from the devices in a
specific lab environment. All of the devices used in this document started with
a cleared (default) configuration. If your network is live, make sure that you
understand the potential impact of any command.
For more information on document conventions, refer to the
Cisco Technical Tips
In this section, you are presented with the information to configure
the features described in this document.
Many transparent caches are being overwhelmed when attempting to
connect to nonexistent sites. This document provides a solution to filter out
the Code Red worm that can affect Cisco caching solutions. Code Red uses a
buffer-overflow exploit in a default.ida script on Internet Information Servers
(IIS). Code Red uses this Hypertext Transfer Protocol (HTTP) request:
The long-string-of-data from the example
above is the buffer overflow and instruction code for the worm itself. You can
filter this by using a block rule that uses a url-regex to match the content.
For Cisco Cache Engine hardware running CE2.XX software, and Cisco Content
Engine hardware running 2.XX or 3.XX software, configure as follows:
rule block url-regex ^http://.*/default\.ida$
rule block url-regex ^http://.*www\.worm\.com/default\.ida$
Issue the show rule all command to display
the number of hits that accumulate against this block rule. For Content Engine
hardware running 3.XX software, you can be more specific and not block the
request, but rewrite to a local Web server to indicate that your site is
infected. Use a rule similar to this one:
rule rewrite url-regsub ^http://.*/default\.ida$ http://local-webserver/codered.html
There is currently no verification procedure available for this
There is currently no specific troubleshooting information available
for this configuration.