05-24-2011 07:55 AM - edited 03-11-2019 01:37 PM
Hi,
We have a case where we need to deny incoming traffic on the outside interface containing HTTP/1.0 requests. Im not sure if it has to be scripted or the inspection maps for HTTP can manage this.
Help would be apprieciated.
Jens
05-24-2011 11:51 AM
Hi Jay,
Are you in a situation where the http 1.0 request is leaking the private ip of your server? is that yu u want to block it??
Thanks,
Varun
05-25-2011 01:13 AM
Hi Varun,
thx for our reply
We have a 1 to 1 nat.
But no not really, it was due to an attack on port 80 where the attacker used massive GET -> HTTP/1.0, i know the risks of filtering out HTTP/1.0(google search I believe uses HTTP/1.0 ), the attack has stopped by an apache server block so it's not critical, but for cases in the future i would like to filter any aspect i choose for port 80.
Sof if anyone could give me an example of an inspectmap where microfiltering on port 80 is used for filtering out HTTP/1.0 it would be great
Jens
05-25-2011 06:59 AM
Jens,
I tested this on my ASA and it appears to work. I tested by changing the "about:config" on my firefox for network.http.version from 1.1 to 1.0.
access-list inside_http extended permit tcp 192.168.2.0 255.255.255.0 any eq www
!
regex http10 "HTTP/1.0"
!
class-map test_http_map
match access-list inside_http
!
class-map type inspect http match-all deny_http_1.0
match request args regex http10
!
policy-map type inspect http inspect_http_with_blocking
parameters
class deny_http_1.0
reset log
!
policy-map global_policy
class test_http_map
inspect http inspect_http_with_blocking
I don't think it would be a good idea to run this all the time. But if you do get hit again, you should be able to put it in place quickly to mitigate the attack.
Thanks,
Brendan
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide