[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: [FW1] Code Red: What security specialist don't mention in war nings
Title: RE: [FW1] Code Red: What security specialist don't mention in warnings No
sir, you' re absolutely wrong or missing s.thg.
I' m
using that rule for about two weeks, and also such similar rules (not only http,
but also smtp-resource, etc...) for a long time. Alas! No CPU bottleneck, or
other performance problems, no pegging' , etc.. Oh by the way, The FW module is
on Nokia IP650.
I
always preach what I practice!.............
I
bet that if you ever try this rule, you will also discover why it is not a
good idea. The HTTP security server does not work very well and when you
put that rule in, it will probably be fine for a good 30 seconds, and then
your CPU % will skyrocket to 100% and stay there. Analysis will reveal
that the in.ahttpd process is the culprit. You are correct in that this
technique is very effective at blocking that string. While I can't say
for certain that the firewall performance was impacted when I had the CPU at
100%, I would rather not take the chance.
In
my situation we had (Not LocalNets) -> DMZ web servers
->http_resource Drop.
The
only time it would not peg was when we had only one webserver in the
destination. Two webservers or more would peg it.
|