Document ID: 61670
Updated: Sep 08, 2004
Contents
Introduction
This document provides information on filtering the Code Red worm on Cisco Cache and Content Engines.
Prerequisites
Requirements
There are no specific requirements for this document.
Components Used
This document is not restricted to specific software and hardware versions.
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.
Conventions
For more information on document conventions, refer to the Cisco Technical Tips Conventions.
Configure
In this section, you are presented with the information to configure the features described in this document.
Configurations
Many transparent caches are being overwhelmed when attempting to connect to nonexistent sites. This document provides a solution to filter out the Code Red worm that can affect Cisco caching solutions. Code Red uses a buffer-overflow exploit in a default.ida script on Internet Information Servers (IIS). Code Red uses this Hypertext Transfer Protocol (HTTP) request:
get http://random-ip-address/default.ida?long-string-of-data
The long-string-of-data from the example above is the buffer overflow and instruction code for the worm itself. You can filter this by using a block rule that uses a url-regex to match the content. For Cisco Cache Engine hardware running CE2.XX software, and Cisco Content Engine hardware running 2.XX or 3.XX software, configure as follows:
rule enable rule block url-regex ^http://.*/default\.ida$ rule block url-regex ^http://.*www\.worm\.com/default\.ida$
Issue the show rule all command to display the number of hits that accumulate against this block rule. For Content Engine hardware running 3.XX software, you can be more specific and not block the request, but rewrite to a local Web server to indicate that your site is infected. Use a rule similar to this one:
rule enable rule rewrite url-regsub ^http://.*/default\.ida$ http://local-webserver/codered.html
Verify
There is currently no verification procedure available for this configuration.
Troubleshoot
There is currently no specific troubleshooting information available for this configuration.
Related Information
Open a Support Case 
(Requires a Cisco Service Contract.)
Related Cisco Support Community Discussions
The Cisco Support Community is a forum for you to ask and answer questions, share suggestions, and collaborate with your peers.
Refer to Cisco Technical Tips Conventions for information on conventions used in this document.