Blocking Virus Requests in Novell BorderManager's HTTP Accelerator
Articles and Tips: article
Senior Software Engineer
Thanks to Amandeep Singh Sandhu of Novell for his help in preparing this AppNote.
01 Feb 2002
With the recent outbreaks of malicious viruses such as Code Red and Nimda, network administrators are looking for ways to protect their Web servers from these and other distributed denial-of-service attacks. For Web servers that are being accelerated by Novell BorderManager's reverse proxy capability, Novell has added a new Virus Pattern Recognition feature to BorderManager 3.7 that can help protect against such attacks. This AppNote describes how to enable and configure this feature.
HTTP acceleration, network security, reverse proxy, virus protection
network administrators, consultants, integrators
familiarity with the Internet, BorderManager, and security
In the past few months, we have seen an increase in self-propagating malicious viruses such as Code Red and Nimda, which are designed to inflict maximum damage to computer systems around the world. The methods used by this new breed of viruses demonstrate the growing sophistication of virus and worm attacks.
For example, in the case of Code Red, the worm attempts to connect to a certain TCP port on a randomly chosen host, assuming that a Web server will be found. Upon successful connection to the host, the attacking computer sends an HTTP GET request that attempts to exploit a known vulnerability in Microsoft Internet Information Server (IIS) Web servers. If the exploit is successful, the worm begins executing on the victim host. Depending on the day of the month, it either attempts to further propagate itself by connecting to other randomly chosen IP addresses, or it launches a packet- flooding "denial of service" attack against a fixed IP address. The ultimate goal of this type of attack is to generate so much illegal traffic to the site that service is denied to the site's legitimate users.
Although these viruses infect only certain vulnerable non-NetWare Web servers and routers, their method of attack can impact the performance of Novell BorderManager (NBM) Proxy Servers that are used to accelerate these Web servers. To protect against such attacks from the NBM Proxy side, there must be some mechanism in place to examine all incoming HTTP requests and reject those that are identified as coming from virus-infected computers. The main problem lies in differentiating between legal and illegal requests and acting accordingly, without adversely affecting the performance of the NBM Proxy Server.
To accomplish this, Novell has added a Virus Pattern Recognition and protection enhancement to Novell BorderManager 3.7. This enhancement includes features to facilitate its configuration and monitoring.
This AppNote describes the Virus Pattern Recognition enhancement and explains how to configure and monitor this feature.
Overview of the Virus Pattern Recognition Feature
This section provides an overview of the functionality of the Virus Pattern Recognition feature as a mechanism for protecting Web servers against distributed denial-of-service (DDoS) attacks. The solution involves creating a database of known virus patterns. The NBM Proxy Server then compares every incoming request with the existing pattern database, and blocks any request that perfectly matches one of the patterns in the database.
The main goals in the design of this feature were:
To make it easy to add and delete virus request patterns in the database
To allow the pattern database to be updated "on the fly", without having to bring down the Proxy Server
To provide automatic detection of changes in virus patterns and subsequent updating of the pattern database
To offer effective console-based monitoring
To minimize the impact on performance
In discussing the functionality of this feature, it is helpful to understand the following terminology used to categorize HTTP requests:
Suspect request: any request that is suspected to be generated from a virus- infected client or server
Virus request: any request that is determined to have been generated from a virus-affected client or server
Humble request: any request that is valid to the origin Web server (a non-virus request)
Enabling the Virus Pattern Recognition Feature
To enable this feature, you must have the latest version of PROXY.NLM. You also need the following lines in the SYS:\ETC\PROXY\ PROXY.CFG file, which is used to initialize the NBM Proxy Server at startup:
[Extra Configuration] ScanVirusPatterns=1 [Virus Pattern Configuration] NoOfVirusPatterns=0 PatternSize=16 PatternStartOffset=1 EnablePatternAutoUpdate=1
If you don't have these lines in the PROXY.CFG file when you start the Proxy Server, you will receive a "virus command not found" message on the system console when you try to enter any of the console commands described below.
Command Line-Based Configuration
Configuration of the Virus Pattern Recognition feature is accomplished via console commands that are run from the system console. As with most console-based systems, responses to commands are written back to the system console and recorded in a log file (in this case, PROXY.LOG).
Note: The command syntax below is specified in BNF (Backus-Naur Format) notation, a formal system of notation developed in the 1960s to describe the syntax of a given command set or computer programming language. For more information, visit http://www.w3.org/Notation.html.
COMMAND ::= "virus" [<command>] *((<options> | <option- value-pairs>) <white-space>) <new-line> command ::= "add" | "del" | "dump" options = <option>[a-zA-Z?]* option-value-pairs = <option> <white-space> <value> option = [-/][a-zA-Z?] white-space = [\t ] *[\t ] new-line = [\n\r] value = (<Integer> | <string>) Integer = [1-9][0-9]* string = ["]<ascii> <ascii>*["] ascii = all ascii characters
Don't worry if you aren't familiar with BNF notation. Examples of the most commonly-used configuration commands are provided in the following sections.
Adding and Deleting Virus Request Patterns
Once the Proxy Server is up and running with its initial pattern database loaded, you can add new patterns while the server is running. The console command syntax for adding a new virus pattern is:
virus add -p <pattern> -o <origLength>
where pattern is a 16-byte character string located at offset 1 in the HTTP GET request, and origLength is the original size of the request in bytes. These are mandatory option-value pairs. The string value for pattern should be enclosed in quotation marks; the value for origLength is given as an integer. For example:
virus add -p "default.ida?NNNN" -o 385
The Proxy Server looks at the specified offset in each incoming request and reads the next 16 bytes. If that string matches any of the patterns in the existing database, the request is considered a virus request and is blocked.
Note: The pattern size and start offset are set to 16 and 1, respectively, by default. You can change these values in the PROXY.CFG file, but do so with caution. They are global parameters that apply to all entries in the pattern database.
How do you know what values to enter for pattern and origLength? That's a good question. A step-by-step example of identifying a virus pattern is given later in this AppNote (see "Example: Identifying and Adding a New Virus Pattern").
To delete a pattern from the database, use the same syntax but replace the "add" command with "del". For example:
virus del -p "default.ida?NNNN" -o 385
Updating the Database via a Script (NCF File)
Another aspect of the Virus Pattern Recognition feature is the capability to update the database in a script-like fashion by placing a list of "virus add . . ." commands in an NCF file and running the file on the console. This enables you to update the virus pattern database without having to bring the Proxy Server down. The commands must conform to the syntax prescribed in this AppNote.
You can use the following command to write all existing entries in the database into an NCF file:
The name of the dump file is SYS:\ETC\PROXY\VIRPAT.NCF. This NCF file can be run as part of the Proxy Server restart process, or you can run it manually after the Proxy Server has been loaded.
Enabling and Configuring Auto Update
BorderManager provides an Auto Update feature that automatically detects virus requests and adds their patterns to the database. This feature's heuristic (self- learning) request examination method is especially useful in detecting frequently changing virus request patterns.
The heuristics look at the incoming request distribution within a specified amount of time. For these heuristics to work, two parameters must be properly configured:
Threshold. This parameter defines the number of new requests that hash to the same value that will be allowed within the time interval before those requests are considered suspect. The default value is 250; this can be changed via the "virus -t <threshold>" console command.
Refresh time interval. This parameter defines the amount of time, in seconds, after which identical requests received beyond the threshold value are checked for virus pattern content. The default value is 10 seconds; this can be changed via the "virus -r <time interval>" console command.
When more than the threshold number of identical requests are received within the specified time interval, that request is considered suspect and is scheduled for further analysis via a background process. (This analysis involves looking for particular keywords, as explained in the next section.) In the meantime, the Proxy Server continues to receive all requests so that valid requests are never blocked.
The Virus Pattern Configuration screen provides information that can help you adjust these parameters for your particular system. See "Choosing a Proper Threshold" for details.
There are two ways to enable this Auto Update feature. One is by entering the following command at the system console:
virus -e 1
Note: Specifying a value of 0 (zero) in this command will disable Auto Update.
The other way to enable this feature is to place the following option in the PROXY.CFG file:
[Virus Pattern Configuration]EnablePatternAutoUpdate=1
This will ensure that this feature is enabled every time the Proxy Server is started.
Adding New Virus Keywords
Virus request patterns of the same virus type contain keywords or character strings that can be used to identify the request. For example, all URLs with Code Red virus requests contain the string "cmd.exe". Since the presence of this string identifies the URL as a virus request, "cmd.exe" is a keyword.
Note: In this Code Red example, adding "*cmd.exe.*" as a filter rule in routers will block all requests containing this keyword.
Keywords come into play only after a request has been labelled as suspect through the heuristics described above. At that point, the suspect request is checked for the presence of certain keywords. If a match is found, the request is labelled a virus request and its pattern is added to the database. Any future requests containing that keyword will automatically be blocked.
To add a new keyword to the list of existing keywords, type the following command at the system console:
virus add -k <keyword>
where keyword is a character string that determines whether a suspect request is a humble request or a virus request.
For information about known virus keywords, visit http://www.cert.org and search for system footprint details in the virus incident reports.
Monitoring the Virus Pattern Recognition Feature
Because the effectiveness of a feature can be best understood through monitoring, the NBM Proxy Server includes a Virus Pattern Configuration screen. All virus pattern-related configuration and statistical information is tracked and displayed on this separate server console screen. A more detailed description of this monitor screen is given in the next section of this AppNote.
Effect on Performance
Since there is very little overhead involved in checking incoming HTTP requests, enabling the Virus Pattern Recognition feature does not adversely affect NBM Proxy Server performance.
The Virus Pattern Configuration Screen
The Virus Pattern Configuration screen is a console-based screen dedicated to virus pattern configuration and monitoring. This screen is reached by entering 23 on the Proxy Console screen. The information displayed is periodically refreshed for monitoring.
Figure 1 is an example screen showing the Virus Pattern Configuration settings.
The Virus Pattern Configuration Screen.
Let's look at each section of this screen and describes the parameters, their meaning, and, where applicable, their default values and configuration methods.
Configuration Section. The items in the Configuration section of the screen are as follows:
No Of Patterns. This is the current number of patterns in the database. This value is not configurable. It starts at 0 and is incremented each time a new pattern is successfully added to the database.
Pattern Size. This is the size of the pattern, in bytes. The default setting is 16. This is a global setting that is used for all patterns, so modify it with care.
Pattern Start Offset. This indicates where the virus pattern starts, as a byte offset from the actual beginning of the request. The default setting is 1. This is a global setting that is used for all patterns, so modify it with care.
Refresh Interval. This specifies the time interval in which the incoming request distribution is studied for Auto Update heuristic purposes. The default value is 10 seconds. The value can be modified using the "virus -r <interval>" command.
Hit Threshold. This is the threshold upon which the automatic detection of new virus patterns is based. The default value is 250. The value can be modified using the "virus -t <threshold>" command.
Virus Auto Update. This indicates whether or not the Auto Update feature is enabled. The default value is 0 (disabled). The Auto Update feature can be enabled using the "virus -e 1" command.
Monitoring Section. The items in the Monitoring section of the screen are as follows:
Virus Requests. This is the number of incoming requests that have matched a virus pattern. This value is not configurable. It starts at 0 and is incremented each time a pattern match is detected.
Non Virus Requests. This is the number of incoming requests that did not match a virus pattern. This value is not configurable. It starts at 0 and is incremented each time a pattern match fails.
Recommend Threshold. This is a recommended value for the Auto Update threshold parameter. After the server has been up for a while, this gives a good lower limit for the hit threshold.
Max Non Virus Hit Rate. This is the maximum or peak number of incoming humble (non-virus) requests received in one time interval.
Ave Virus Hit Rate. This is the average number of incoming virus requests received over all the time intervals crossed so far.
Ave Non Virus Hit Rate. This is the average number of incoming humble (non-virus) requests. The threshold setting must be greater than this value.
Figure 2 shows the relationship between the Max Non Virus Hit Rate, the Ave Non Virus Hit Rate, and the Recommended Threshold.
Relationship between statistics on the Virus Pattern Configuration Screen.
Virus Source IP Address Section. This section displays the last ten IP addresses of sources that sent virus requests.
Last Predicted Request. This section displays the last request that was made a suspect.
Choosing a Proper Threshold
The configuration section of the Virus Pattern Configuration screen contains a "Hit Threshold" parameter that gives the current threshold value.
The following rules of thumb can be used for arriving at an appropriate new threshold value:
The Threshold value must be always greater than the "Ave Non Virus Hit Rate".
The "Recommend Threshold" gives a possible threshold value. However, you can use this value as a new threshold only if it is considerably higher than the "Ave Non Virus Hit Rate" value'.
You can change the threshold value by executing the following command at the system console:
virus -t <threshold>
The threshold and refresh time interval settings are tightly coupled. If you raise the threshold, you need to increase the time interval accordingly, and vice versa. You can change the refresh time interval value by executing the following command at the system console:
virus -r <time interval>
This section outlines how to perform various tasks involved in the day-to-day operation of the Virus Pattern Recognition feature.
Specifying a Maximum Number of Patterns
Each pattern added to the database takes up 64 bytes of RAM. For memory and performance reasons, you may want to set a limit on the number of patterns allowed in the virus pattern database. To do this, enter the following command at the system console:
virus -m <Max virus patterns>where Max virus patterns is an integer specifying the maximum number of patterns allowed in the database. This value should be set below 256.
Clearing Existing Virus Patterns
To clear all existing patterns from the database, type the following command at the system console:
Viewing Online Help
To display online help and usage information, type the following command at the system console:
virus -? or virus -h
Verifying the Blocking of Virus Requests
To verify whether the Virus Pattern Recognition feature is working, check the PROXY.LOG file (located in SYS:\ETC\PROXY) for drop or slip.
The following is an example of a slipped request:
22.214.171.124 - - [06/Aug/2001:09:58:58 -0600] "GET /default.ida? XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u 9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u90 90%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078 %u0000%u00=a HTTP/1.0" - -
The following is an example of a dropped request:
126.96.36.199 - - [09/Aug/2001:04:47:27 -0600] "(bad request line) GET%00/default.ida? XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX (truncated)" 400 2248
Disabling the Virus Pattern Recognition Feature
To disable the Virus Pattern Recognition feature, change the value of the ScanVirusPatterns parameter in PROXY.CFG to 0 and restart the Proxy Server:[Extra Configuration]ScanVirusPatterns=0
Example: Identifying and Adding a New Virus Pattern
This section provides a step-by-step example of how to identify and add a new virus pattern to the database.
Open the PROXY.LOG file and look for a virus request. For example, such as request might look like this:
188.8.131.52 - - [12/Nov/2001:10:04:55 -0600] "GET /default.ida? NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u 9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u90 90%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078 %u0000%u00=a HTTP/1.0" 500 2244
Isolate the portion of the request that appears within the quotation marks (shown in bold above). Then strip out the word "GET" and the space after it. You now have the string:
/default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858% ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%uc bd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531 b%u53ff%u0078%u0000%u00=a HTTP/1.0
Note the length of this string, which will be used as the value for the original length (origLength) parameter. In this example, it is 385.
The Pattern Start Offset value shown in the Configuration section of the Virus Pattern Configuration screen indicates the location of the pattern as an offset from beginning of the string. In this case it is 1.
The Pattern Size value in the Configuration section of the Virus Pattern Configuration screen indicates the size of the pattern. In this example it is 16.
So the pattern for this virus request is identified as the 16-byte string that starts at offset 1, which is:
To block this as a virus request, type the following command at the console:
virus add -p "default.ida?NNNN" -o 385
This AppNote has introduced the Virus Pattern Recognition feature that has been added to the Novell BorderManager Proxy Server. For additional information, check out the following references:
Novell BorderManager online documentation (http://www.novell.com/ documentation)
BorderManager Cool Solutions Web site (http://www.novell.com/ coolsolutions/bordermag)
CERT Coordination Center (http://www.cert.org/)
* Originally published in Novell AppNotes
The origin of this information may be internal or external to Novell. While Novell makes all reasonable efforts to verify this information, Novell does not make explicit or implied claims to its validity.