Guest

Cisco 500 Series Content Engines

How to Filter Code Red on Cisco Cache and Content Engines

Document ID: 61670

Updated: Sep 08, 2004

   Print

Introduction

This document provides information on filtering the Code Red worm on Cisco Cache and Content Engines.

Prerequisites

Requirements

There are no specific requirements for this document.

Components Used

This document is not restricted to specific software and hardware versions.

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Conventions

For more information on document conventions, refer to the Cisco Technical Tips Conventions.

Configure

In this section, you are presented with the information to configure the features described in this document.

Configurations

Many transparent caches are being overwhelmed when attempting to connect to nonexistent sites. This document provides a solution to filter out the Code Red worm that can affect Cisco caching solutions. Code Red uses a buffer-overflow exploit in a default.ida script on Internet Information Servers (IIS). Code Red uses this Hypertext Transfer Protocol (HTTP) request:

get http://random-ip-address/default.ida?long-string-of-data

The long-string-of-data from the example above is the buffer overflow and instruction code for the worm itself. You can filter this by using a block rule that uses a url-regex to match the content. For Cisco Cache Engine hardware running CE2.XX software, and Cisco Content Engine hardware running 2.XX or 3.XX software, configure as follows:

rule enable
rule block url-regex ^http://.*/default\.ida$
rule block url-regex ^http://.*www\.worm\.com/default\.ida$

Issue the show rule all command to display the number of hits that accumulate against this block rule. For Content Engine hardware running 3.XX software, you can be more specific and not block the request, but rewrite to a local Web server to indicate that your site is infected. Use a rule similar to this one:

rule enable
rule rewrite url-regsub ^http://.*/default\.ida$ http://local-webserver/codered.html

Verify

There is currently no verification procedure available for this configuration.

Troubleshoot

There is currently no specific troubleshooting information available for this configuration.

Related Information

Updated: Sep 08, 2004
Document ID: 61670