How to Block Recent Buffer Overflow Attacks

Forum Moderators: phranque

Message Too Old, No Replies

How to Block Recent Buffer Overflow Attacks

Looking for a RewriteCond to block "SEARCH /\x90\x02\xb1\x02 etc.

chgoweb

2:18 pm on Apr 6, 2004 (gmt 0)

Lately, my logs have recorded frequent buffer overflow attacks, coming from a variety of IP addresses. The following very shortened log entry is typical:

123.123.123.123 - - [06/Apr/2004:04:05:51 -0500] "SEARCH /\x90\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02 ... \x90\x90\x90\x90\x90\x90\x90" 414 271 "-" "-"

I've tried blocking it with:

RewriteCond %{HTTP_REFERER} ^-?$
RewriteCond %{HTTP_USER_AGENT} ^-?$
RewriteRule .* - [F]

but that isn't working. Neither is:

RewriteCond %{REQUEST_METHOD}!^GET¦POST$
RewriteRule .* - [F]

SEARCH is not a HTTP request method. I don't know what it is normally used for.

Has someone found a RewriteCond that will forbid these requests?

denisdekat

10:09 pm on Apr 6, 2004 (gmt 0)

If you are running your own server, and if you use apache, consider mod_security and mod_dosevasive (breaks frontpage).

HTH :)

bufferzone

10:55 pm on Apr 6, 2004 (gmt 0)

I would consider using an application proxy firewall. They filter all the way up to the application layer and can block buffer overflows like the quit common one you are describing. Microsoft’s ISA and Symantec Enterprise firewall (formerly Velociraptor) are two examples of Application Proxy firewalls.