Date: Wed, 19 Sep 2001 11:48:18 -0600 From: Brett Glass <brett@lariat.org> To: security@freebsd.org Subject: Defense against "Code Rainbow" Message-ID: <4.3.2.7.2.20010919112438.0598b8b0@localhost>
next in thread | raw e-mail | index | archive | help
I'm working on an automatic defense against "Code Rainbow" and would appreciate suggestions about how to refine it so that others can use it. My first quick-and-dirty attempt was to create an ErrorDocument for Apache that was not actually a document but rather a CGI script. If the script saw that the error was not "Code Rainbow," it sent back a standard error code. But if it recognized a "Code Rainbow" attack, it blackholed the attacker's IP address (available to CGI programs via the REMOTE_ADDR environment variable) via the system routing table and dropped the connection... cold. Bingo -- the attacking machine was locked out. (To give the CGI script the ability to change the routing table safely, I had to create a setuid program that could be invoked only by the CGI script and could do nothing but add a blackhole route.) Unfortunately, there was a serious problem with this approach. The BSD TCP/IP stack apparently does not expect its routing table to be very big, and so scans it linearly. This means that, as the list of blackhole routes grew, we started to see serious problems with network performance. I tried creating ipfw rules instead, but discovered that ipfw scans linearly too. What does ipf use? pf? Any ideas for speedups or security enhancements? --Brett Glass To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4.3.2.7.2.20010919112438.0598b8b0>