¡Ý À̸§:Àü¿Ï±Ù (wkjeon@certcc.or.kr)
¡Ý 2001/8/13(¿ù) 17:23
³×Æ®¿öÅ© ÇÊÅ͸µ±â¹ýÀ» ÅëÇÑ "Code Red" ¿ú¹ÙÀÌ·¯½º ´ëÀÀ¹æ¹ý
(C)CERTCC-KR
ÇØÅ·¹ÙÀÌ·¯½º»ó´ãÁö¿ø¼¾ÅÍ cert@certcc.or.kr
[¸ñ Â÷]
1. °³¿ä
2. ¼ºñ½º °¡´ÉÇÑ ½Ã½ºÅÛ
3. Code Red ÆÐÅÏ
4. ÇÊÅ͸µ ¼³Á¤ ¹æ¹ý
5. ÇÊÅ͸µ µ¿ÀÛ È®ÀÎ ¹æ¹ý
[Âü°í]
1. °³¿ä
IIS ¹ö±× º¸¾È ÆÐÄ¡ÈÄ¿¡µµ "Code Red"¿úÀÇ HTTP GET requests´Â À¥¼¹ö·Î °è¼ÓÀûÀ¸·Î µé¾î¿À°Ô µÇ¾î ³×Æ®¿öÅ©ÀÇ ºÎÇÏ¿¡ ¸¹Àº ¿µÇâÀ» ¹ÌÄ¡°í ÀÖ´Ù. º» ¹®¼¿¡¼´Â ½Ã½ºÄÚ ¶ó¿ìÅÍ¿¡¼ Á¦°øµÇ´Â class-map, Policy Map, Á¢±Ù Á¦¾î¸®½ºÆ®(ACL)±â´É µîÀ» »ç¿ëÇÏ¿© ³×Æ®¿öÅ© Â÷¿ø¿¡¼ Àû¿ë °¡´ÉÇÑ ÇØÅ·½Ãµµ ¹æÁö±â¹ý°ú ÇÔ²² ¼³Á¤µÈ °¢°¢ÀÇ ÇÊÅ͸µ ±â¹ýµéÀÇ µ¿ÀÛ¿©ºÎ¸¦ È®ÀÎÇÒ ¼ö ÀÖ´Â ¹æ¹ýÀ» ¼Ò°³ÇÑ´Ù.
2. ¼ºñ½º °¡´ÉÇÑ ½Ã½ºÅÛ
³×Æ®¿öÅ© ÇÊÅ͸µ±â¹ýÀ» ÅëÇÏ¿© "Code Red" ¿ú¹ÙÀÌ·¯½º¿¡ ´ëÀÀÇÒ ¼ö ÀÖ´Â ½Ã½ºÄÚ ¶ó¿ìÅ͵éÀº ´ÙÀ½°ú °°´Ù.
-----------------------
Ç÷§Æû : IOS ÃÖ¼Ò¹öÁ¯
-----------------------
7200 : 12.1(5)T
7100 : 12.1(5)T
3660 : 12.1(5)T
3640 : 12.1(5)T
3620 : 12.1(5)T
2600 : 12.1(5)T
1700 : 12.2(2)T
----------------------
* ´Ü,Cisco Express Forwarding (CEF)±â´ÉÀÌ enableµÇ¾î ÀÖ¾î¾ß ÇÔ.
------------------------
Ç÷§Æû : IOS ÃÖ¼Ò¹öÁ¯
------------------------
7500 : 12.1(6)E
FlexWAN : 12.1(6)E
-----------------------
*´Ü, Class-based marking °ú Distributed NBAR (DNBAR)±â´É »ç¿ë °¡´É.
3. Code Red ÆÐÅÏ
Code Red ¿ú °ø°ÝÀ» ¹ÞÀ¸¸é °ø°Ý ¼º°ø¿©ºÎ¿¡ »ó°ü¾øÀÌ ¾Æ·¡¿Í °°Àº ¸Þ½ÃÁö°¡ ³²À» ¼ö ÀÖ´Ù.
(IIS ·Î±×ÀÇ °æ¿ì, c:\WINNT/system32/LogFiles/W3SVC) ÀÚ¼¼ÇÑ ³»¿ëÀº ´ÙÀ½ ¹®¼µé¸¦ ÂüÁ¶ ¹Ù¶õ´Ù.
http://www.certcc.or.kr/paper/incident_note/2001/in2001_010.html
http://www.certcc.or.kr/paper/incident_note/2001/in2001_009.html
°¡. ÃÖÃÊÀÇ Code RedÀÇ ÆÐÅÏ
2001-08-04 16:32:23 24.101.17.216 - 10.1.1.75 80 GET /default.ida
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucb
d3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%
u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a 403
³ª. Code Red II ÀÇ ÆÐÅÏ
2001-08-04 15:57:35 64.7.35.92 - 10.1.1.75 80 GET /default.ida XXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%
u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u
53ff%u0078%u0000%u00=a 403 -
´Ù. CodeRedScanner ¿¡ ³ªÅ¸³ª´Â Code Red ÀÇ ÆÐÅÏ
*´ÙÀ½Àº ¾Æ·¡¿Í °°Àº º¸¾È Ãë¾àÁ¡À» Á¡°ËÇØÁÖ´Â µµ±¸¸¦ »ç¿ëÇÏ¿© °¢ »çÀÌÆ®³»¿¡¼ °¨¿° °¡´ÉÇÑ(ȤÀº °¨¿°µÈ) ½Ã½ºÅÛÀ» Á¡°ËÇÏ¿´À» °æ¿ì ³ªÅ¸³ª´Â ÆÐÅÏÀÌ´Ù.
http://www.eeye.com/html/Research/Tools/CodeRedScanner.exe
2001-08-06 22:24:02 24.30.203.202 - 10.1.1.9 80 GET /x.ida AAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=X 403 HTTP/1.1 -
4. ÇÊÅ͸µ ¹æ¹ý
°¡. Class-mapÀ» »ç¿ëÇÏ´Â ¹æ¹ý
Router(config)#class-map match-any http-hacks
Router(config-cmap)#match protocol http url "*default.ida*"
Router(config-cmap)#match protocol http url "*x.ida*"
Router(config-cmap)#match protocol http url "*.ida*"
Router(config-cmap)#match protocol http url "*cmd.exe*"
Router(config-cmap)#match protocol http url "*root.exe*" T
³ª. Policy MapÀ» »ç¿ëÇÏ´Â ¹æ¹ý
´ÙÀ½°ú °°Àº ȯ°æÀ̶ó°í °¡Á¤ÇÏ¿´À» °æ¿ì Ethernet 0/0¿¡¼ »ý¼ºµÇ´Â Æ®·¡ÇÈÀ» ÅëÁ¦ÇÏ°í Ethernet 0/1·Î À¯ÀԵDZâ Àü¿¡ ÇÊÅ͸µµÇµµ·Ï ¼³Á¤ÇÑ´Ù.
* ȯ°æ ¿¹) E0/1(output interface) E0/0(intput interface)
<---------------------
||R|| <----------------------
*R : ¼ºñ½º °¡´ÉÇÑ Router
1) inbound Æ®·¡ÇÈ¿¡ ´ëÇØ ¸ÕÀú ¼³Á¤ÇÑ ÈÄ¿¡ outside ÀÎÅÍÆäÀ̽º¿¡´ëÇÑ ¼ºñ½º Á¤Ã¥À» Àû¿ëÇÑ´Ù.
Router(config)#policy-map mark-inbound-http-hacks
Router(config-pmap)#class http-hacks
Router(config-pmap)#set ip dscp 1
Router(config)#interface ethernet 0/0
Router(config-if)#service-policy input mark-inbound-http-hacks
´Ù. ÇØÅ·½Ãµµ ¹æÁö ¹æ¹ý
¾Æ·¡¿Í °°Àº ¹æ¹ýÁß¿¡ Çϳª¸¦ ¼±ÅÃÇÏ¿© Àû¿ëÇÏ¸é µÈ´Ù.
- Á¢±ÙÁ¦¾î¸®½ºÆ®(ACL)¸¦ ÀÌ¿ëÇÏ´Â ¹æ¹ý
1) ACL´Â DSCPÀÇ °ªÀÌ "1" ÀÎ °Í¿¡ ÇÑÇؼ ·Î±×¸¦ ³²±ä ÈÄ¿¡ ÇÊÅ͸µÇÑ´Ù.
Router(config)#access-list 105 deny ip any any dscp 1 log
Router(config)#access-list 105 permit ip any any
2) À¥¼¹ö°¡ ÀÖ´Â outboundÃøÀÇ insideÃø ÀÎÅÍÆäÀ̽º¸¦ ´ÙÀ½°ú °°ÀÌ ¼³Á¤ÇÑ´Ù.
Router(config)#interface ethernet 0/1
Router(config-if)#ip access-group 105 out
*ÁÖÀÇ:¸¸¾à ¸¹Àº ÀÎÅÍÆäÀ̽º ÀÖÀ» °æ¿ì ·Î±×±â´É¸¦ »ç¿ëÇÏ¸é ¸¹Àº ÀÚ¿ø³¶ºñ¸¦ ÃÊ·¡Çϱ⠶§¹®¿¡ µÇµµ·ÏÀ̸é Äַܼα׸¦ »ç¿ëÇÏÁö ¾Ê´Â °ÍÀÌ ÁÁ´Ù.
- Policy Based Routing ¹æ¹ýÀ» Àû¿ëÇÏ¿© ÇÊÅ͸µÀ» ÇÏ´Â ¿¹
Router(config)#access-list 106 permit ip any any dscp 1
Router(config)#route-map null_policy_route 10
Router(config)#match ip address 106
Router(config)#set interface Null0
Router(config)#interface ethernet 0/0
Router(config-if)#ip policy route-map null_policy_route
* ¶ó¿ìÅÍ·Î ºÎÅÍ À¯ÃâµÇ´Â ¸ðµç ÀÎÅÍÆäÀ̽º¿¡ ´ëÇؼ Â÷´ÜÇÏÁö ¾Ê°í, ¶ó¿ìÅÍ·Î À¯ÀԵǴ ÀÎÅÍÆäÀ̽º¿¡ ´ëÇؼ¸¸ Â÷´ÜÇϵµ·Ï ¼³Á¤ÇÒ ¼öµµ ÀÖ´Ù.
- Policing SolutionÀ» ÀÌ¿ëÇÑ ¹æ¹ý
1) ¶ó¿ìÆà ȤÀº Á¢±ÙÅëÁ¦¸®Æ®(ACL), Àü¼Û¼Óµµ¿Í´Â »ó°ü¾øÀÌ Æ®·¡ÇÈÀ» Á¦¾îÇÒ ¼ö ÀÖ´Ù.
Router(config)#policy-map drop-inbound-http-hacks
Router(config-pmap)#class http-hacks
Router(config-pmap)#police 1000000 31250 31250 conform-action drop exceed-action drop violate-action drop
2) ¶ó¿ìÆà ȤÀº Á¢±ÙÅëÁ¦¸®Æ®(ACL)¿Í´Â »ó°ü¾øÀÌ Æ®·¡ÇÈÀ» Á¦¾îÇÒ ¼ö ÀÖ´Ù.
Router(config)#interface ethernet 0/0
Router(config-if)#service-policy input drop-inbound-http-hacks
5. ÇÊÅ͸µ µ¿ÀÛ È®ÀÎ ¹æ¹ý
´ÙÀ½Àº ¼³Á¤µÈ °¢°¢ÀÇ ÇÊÅ͸µ ±â¹ýµéÀÇ µ¿ÀÛ¿©ºÎ¸¦ È®ÀÎÇÏ´Â ¹æ¹ýµéÀÌ´Ù.
°¡. Á¢±ÙÁ¦¾î¸®½ºÆ®(ACL) Solution ¿î¿µ È®Àιæ¹ý
Router#show access-list 105
Extended IP access list 105
deny ip any any dscp 1 log (2406 matches)
deny tcp any any dscp 1 log
permit ip any any (731764 matches)
³ª. Policy Based Routing Solution ¿î¿µ È®Àιæ¹ý
Router#show access-list 106
Extended IP access list 106
deny ip any any dscp 1 (1506 matches)
Router#show log
Aug 4 13:25:20: %SEC-6-IPACCESSLOGP: list 105 denied tcp A.B.C.D.(0) -> 10.1.1.75(0), 6 packets
Aug 4 13:26:32: %SEC-6-IPACCESSLOGP: list 105 denied tcp A.B.C.D.(0) -> 10.1.1.75(0), 6 packets
*·Î±×¿¡ ŽÁöµÈ IP 10.1.1.75(0)¿Í A.B.C.D.(0)´Â ¼³Á¤µÈ ȯ°æ¿¡ µû¶ó ´Ù¸£°Ô ³ªÅ¸³ª°Ô µÈ´Ù.
´Ù. Policing Solution ¿î¿µ È®Àιæ¹ý
Router#show policy-map interface ethernet 0/0
Ethernet0/0
Service-policy input: mark-inbound-http-hacks
Class-map: http-hacks (match-any)
3101 packets, 4292566 bytes
30 second offered rate 2000 bps, drop rate 0 bps
Match: protocol http url "*default.ida*"
3101 packets, 4292566 bytes
30 second rate 2000 bps
Match: protocol http url "*cmd.exe*"
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol http url "*root.exe*"
0 packets, 0 bytes 30 second rate 0 bps
QoS Set
ip dscp 1
Packets marked 3101
Router#show policy-map interface fastEthernet 0/0
Ethernet0/0
Service-policy input: drop-inbound-http-hacks
Class-map: http-hacks (match-any)
5 packets, 300 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: protocol http url "*default.ida*"
5 packets, 300 bytes
5 minute rate 0 bps
Match: protocol http url "*cmd.exe*"
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol http url "*root.exe*"
0 packets, 0 bytes 30 second rate 0 bps
police:
1000000 bps, 31250 limit, 31250 extended limit
conformed 5 packets, 300 bytes; action: drop
exceeded 0 packets, 0 bytes; action: drop
conformed 0 bps, exceed 0 bps violate 0 bps
|
