nanog mailing list archives
Re: Worm probes
From: Iljitsch van Beijnum <iljitsch () muada com>
Date: Tue, 18 Sep 2001 19:36:27 +0200 (CEST)
On Tue, 18 Sep 2001, Joseph McDonald wrote:
Yes. We are seeing it here bigtime. Does anyone have any apache hacks to lessen the impact? One idea: Once a probe is sent, the prober's IP# is stored in a hash (perhaps in shared memory or a mmap'd file that all children can share) and new connections from that IP are no longer accepted.
Or what about this: redirect your 404 to a PHP script with something like: ErrorDocument 404 /404.php and then let a script like this waste the attacker's time: <? echo "404 This page is not available.\n"; flush(); sleep(150); ?> This should slow the scanning and thus the waste of bandwidth and spread rate of the infections down. At least, if the worm is single threaded. Iljitsch van Beijnum
Current thread:
- Re: Worm probes, (continued)
- Re: Worm probes sigma (Sep 18)
- Re: Worm probes Valdis . Kletnieks (Sep 18)
- RE: Worm probes Eric Germann (Sep 18)
- Re: Worm probes Ulf Zimmermann (Sep 18)
- Re: Worm probes k claffy (Sep 18)
- Re: Worm probes Joe Abley (Sep 18)
- Re: Worm probes Daniel Senie (Sep 18)
- Re: Worm probes Iljitsch van Beijnum (Sep 18)
- Re: Worm probes M. David Leonard (Sep 19)
- Re: Worm probes Brett Frankenberger (Sep 19)
- Re: Re[2]: Worm probes Nick Thompson (Sep 18)
- Re: Re[2]: Worm probes Rafi Sadowsky (Sep 18)
- Re: Worm probes Ulf Zimmermann (Sep 18)