Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 19 Sep 2001 11:48:18 -0600
From:      Brett Glass <brett@lariat.org>
To:        security@freebsd.org
Subject:   Defense against "Code Rainbow"
Message-ID:  <4.3.2.7.2.20010919112438.0598b8b0@localhost>

next in thread | raw e-mail | index | archive | help
I'm working on an automatic defense against "Code Rainbow" and would 
appreciate suggestions about how to refine it so that others can use it.

My first quick-and-dirty attempt was to create an ErrorDocument for 
Apache that was not actually a document but rather a CGI script. If the 
script saw that the error was not "Code Rainbow," it sent back a standard 
error code. But if it recognized a "Code Rainbow" attack, it blackholed 
the attacker's IP address (available to CGI programs via the REMOTE_ADDR 
environment variable) via the system routing table and dropped the 
connection... cold. Bingo -- the attacking machine was locked out. (To 
give the CGI script the ability to change the routing table safely, I had 
to create a setuid program that could be invoked only by the CGI script 
and could do nothing but add a blackhole route.)

Unfortunately, there was a serious problem with this approach. The BSD 
TCP/IP stack apparently does not expect its routing table to be very big, 
and so scans it linearly. This means that, as the list of blackhole 
routes grew, we started to see serious problems with network performance. 
I tried creating ipfw rules instead, but discovered that ipfw scans 
linearly too. What does ipf use? pf? Any ideas for speedups or security 
enhancements?

--Brett Glass


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4.3.2.7.2.20010919112438.0598b8b0>