Document ID: 61670
Contents
Introduction
Prerequisites
Requirements
Components Used
Conventions
Configure
Configurations
Verify
Troubleshoot
NetPro Discussion Forums - Featured Conversations
Related Information
Introduction
This document provides information on filtering the Code Red worm on Cisco Cache and Content Engines.
Prerequisites
Requirements
There are no specific requirements for this document.
Components Used
This document is not restricted to specific software and hardware versions.
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.
Conventions
For more information on document conventions, refer to the Cisco Technical Tips Conventions.
Configure
In this section, you are presented with the information to configure the features described in this document.
Configurations
Many transparent caches are being overwhelmed when attempting to connect to nonexistent sites. This document provides a solution to filter out the Code Red worm that can affect Cisco caching solutions. Code Red uses a buffer-overflow exploit in a default.ida script on Internet Information Servers (IIS). Code Red uses this Hypertext Transfer Protocol (HTTP) request:
get http://random-ip-address/default.ida?long-string-of-data
The long-string-of-data from the example above is the buffer overflow and instruction code for the worm itself. You can filter this by using a block rule that uses a url-regex to match the content. For Cisco Cache Engine hardware running CE2.XX software, and Cisco Content Engine hardware running 2.XX or 3.XX software, configure as follows:
rule enable rule block url-regex ^http://.*/default\.ida$ rule block url-regex ^http://.*www\.worm\.com/default\.ida$
Issue the show rule all command to display the number of hits that accumulate against this block rule. For Content Engine hardware running 3.XX software, you can be more specific and not block the request, but rewrite to a local Web server to indicate that your site is infected. Use a rule similar to this one:
rule enable rule rewrite url-regsub ^http://.*/default\.ida$ http://local-webserver/codered.html
Verify
There is currently no verification procedure available for this configuration.
Troubleshoot
There is currently no specific troubleshooting information available for this configuration.
NetPro Discussion Forums - Featured Conversations
| NetPro Discussion Forums - Featured Conversations for CDN |
| Emerging Technologies: Content Networking |
Related Information
- Content Networking Product Support
- Cisco Cache Engine 3.0 Software Downloads ( registered customers only)
- Cisco Cache Engine 2.0 Software Downloads ( registered customers only)
- Technical Support - Cisco Systems
| Updated: Sep 08, 2004 | Document ID: 61670 |