Security Incidents mailing list archives
RE: [incidents] Bots hitting my web server?
From: Rob Keown <Keown () MACDIRECT COM>
Date: Fri, 30 Aug 2002 17:36:33 -0400
I would recommend the switch to a new IP address. Use DNS Round Robin (assuming you can multi-home) for the transition period and once TTL's have expired eliminate the exploited address. Rob -----Original Message----- From: zcat () bsd co nz [mailto:zcat () bsd co nz] Sent: Friday, August 30, 2002 2:48 AM Cc: incidents () securityfocus com Subject: RE: [incidents] Bots hitting my web server?
You're not seeing bots, you're seeing surfers in a misguided attempt to keep their "anonymity," or to defeat proxies that filter by domain/host in corporate/school environments (hence the porn site requests you see in your logs).
Here's another suggestion. Reconfigure apache so that every time someone attempts to use it as a proxy it returns (in the appropriate format; html, jpg, etc to match the request) a small message announcing that the request and client IP are being logged to a publically accessable web page. On that web page explain WHY you're doing this (cost of bandwidth etc). That should get you off the end-user's proxy lists very quickly, and will eventually help with the public lists too. And it'll educate a few of the proxy-list users who are probably under the impression that all proxies are run intentionally as a public service, like IRC servers and MUD's. ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- RE: [incidents] Bots hitting my web server? Rob Keown (Sep 02)