cancel
Showing results for 
Search instead for 
Did you mean: 

block double HTTP 302 redirects

Is there a way to have mwg7 immediately block the response if it sees two HTTP 302 redirects in a row?  Here's the scenario:

  1. A user is casually browsing the internet.
  2. Without being aware of it they come across a malicious or compromised web site which does a HTTP 302 redirect to another site
  3. That site in question does yet another HTTP 302 redirect to another site
  4. The final site (I've sometimes even seen a third redirect) is the one that delivers the malicious exploit

Although HTTP 302 redirects have their purpose on legit web sites, 2 or more redirects in a row is immediately suspicious to me and warrants either outright blocking or a more aggressive filtering policy to be applied.

See the flowchart here for more details on this infection technique: http://nakedsecurity.sophos.com/2012/07/05/pseudo-random-domain-name-generation-and-blackhole/

4 Replies

Re: block double HTTP 302 redirects

I think this would be a bad idea. I see quite alot of sites that use multiple 302's. For example sourceforge uses them for the download links.

Tris

cnewman
Level 10
Report Inappropriate Content
Message 3 of 5

Re: block double HTTP 302 redirects

I would also add a lot of analytics use redirects. Not google, but some of the other trackers, and while it might be nice from a privacy standpoint, it may also keep a page from loading at all. 

That said, the problem you would have in making a ruleset for this is that all redirects entail a new request and a new 'transaction'. We don't keep a state table for separate requests for the same user/client ip address.

I would say that it's probably theoretically possible, but ill advised.

--CN

Re: block double HTTP 302 redirects

We don't keep a state table for separate requests for the same user/client ip address.

Yeah that's what I wasn't sure of.  I couldn't think about how things would be properly tracked through multiple cycles but wasn't sure if there was a technique that handles this.  This answers my question.

Highlighted

Re: block double HTTP 302 redirects

Good point, but what if I did this only for uncategorized or unverified sites?

Member Rewards
McAfee Community rewards active and helpful members just like you. Click here to take a look at the first community members who received a special reward and were recognized by McAfee leader, Aneel Jaeel, for their participation and trusted knowledge in the community.