Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1013
Views
0
Helpful
3
Replies

inspection rule deny HTTP/1.0 traffic from outside 2 webserver

Sentia NOC
Level 1
Level 1

‎05-24-2011 07:55 AM - edited ‎03-11-2019 01:37 PM

Hi,

We have a case where we need to deny incoming traffic on the outside interface containing HTTP/1.0 requests. Im not sure if it has to be scripted or the inspection maps for HTTP can manage this.

Help would be apprieciated.

Jens

Labels:
0 Helpful
3 Replies 3

varrao
Level 10
Level 10

‎05-24-2011 11:51 AM

Hi Jay,

Are you in a situation where the http 1.0 request is leaking the private ip of your server? is that yu u want to block it??

Thanks,

Varun

Thanks,
Varun Rao
0 Helpful

Sentia NOC
Level 1
Level 1
In response to varrao

‎05-25-2011 01:13 AM

Hi Varun,

thx for our reply

We have a 1 to 1 nat.

But no not really, it was due to an attack on port 80 where the attacker used massive GET  -> HTTP/1.0, i know the risks of filtering out HTTP/1.0(google search I believe uses HTTP/1.0 ), the attack has stopped by an apache server block so it's not critical, but for cases in the future i would like to filter any aspect i choose for port 80.

Sof if anyone could give me an example of an inspectmap where microfiltering on port 80 is used for filtering out HTTP/1.0 it would be great

Jens

0 Helpful

brquinn
Level 1
Level 1
In response to Sentia NOC

‎05-25-2011 06:59 AM

Jens,

I tested this on my ASA and it appears to work. I tested by changing the "about:config" on my firefox for network.http.version from 1.1 to 1.0.

access-list inside_http extended permit tcp 192.168.2.0 255.255.255.0 any eq www
!
regex http10 "HTTP/1.0"
!
class-map test_http_map
match access-list inside_http
!
class-map type inspect http match-all deny_http_1.0
match request args regex http10
!
policy-map type inspect http inspect_http_with_blocking
parameters
class deny_http_1.0
  reset log
!
policy-map global_policy
  class test_http_map
   inspect http inspect_http_with_blocking

I don't think it would be a good idea to run this all the time. But if you do get hit again, you should be able to put it in place quickly to mitigate the attack.

Thanks,

Brendan

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card