cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


687
Views
0
Helpful
3
Replies
Beginner

inspection rule deny HTTP/1.0 traffic from outside 2 webserver

Hi,

We have a case where we need to deny incoming traffic on the outside interface containing HTTP/1.0 requests. Im not sure if it has to be scripted or the inspection maps for HTTP can manage this.

Help would be apprieciated.

Jens

3 REPLIES 3
Advocate

Re: inspection rule deny HTTP/1.0 traffic from outside 2 webserv

Hi Jay,

Are you in a situation where the http 1.0 request is leaking the private ip of your server? is that yu u want to block it??

Thanks,

Varun

Thanks, Varun Rao Security Team, Cisco TAC
Highlighted
Beginner

Re: inspection rule deny HTTP/1.0 traffic from outside 2 webserv

Hi Varun,

thx for our reply

We have a 1 to 1 nat.

But no not really, it was due to an attack on port 80 where the attacker used massive GET  -> HTTP/1.0, i know the risks of filtering out HTTP/1.0(google search I believe uses HTTP/1.0 ), the attack has stopped by an apache server block so it's not critical, but for cases in the future i would like to filter any aspect i choose for port 80.

Sof if anyone could give me an example of an inspectmap where microfiltering on port 80 is used for filtering out HTTP/1.0 it would be great

Jens

Beginner

Re: inspection rule deny HTTP/1.0 traffic from outside 2 webserv

Jens,

I tested this on my ASA and it appears to work. I tested by changing the "about:config" on my firefox for network.http.version from 1.1 to 1.0.

access-list inside_http extended permit tcp 192.168.2.0 255.255.255.0 any eq www
!
regex http10 "HTTP/1.0"
!
class-map test_http_map
match access-list inside_http
!
class-map type inspect http match-all deny_http_1.0
match request args regex http10
!
policy-map type inspect http inspect_http_with_blocking
parameters
class deny_http_1.0
  reset log
!
policy-map global_policy
  class test_http_map
   inspect http inspect_http_with_blocking

I don't think it would be a good idea to run this all the time. But if you do get hit again, you should be able to put it in place quickly to mitigate the attack.

Thanks,

Brendan