nanog mailing list archives

Re: Worm probes

From: Iljitsch van Beijnum <iljitsch () muada com>
Date: Tue, 18 Sep 2001 19:36:27 +0200 (CEST)


On Tue, 18 Sep 2001, Joseph McDonald wrote:

Yes. We are seeing it here bigtime.  Does anyone have any apache hacks
to lessen the impact?  One idea:  Once a probe is sent, the prober's
IP# is stored in a hash (perhaps in shared memory or a mmap'd file
that all children can share) and new connections from that IP are no
longer accepted.


Or what about this: redirect your 404 to a PHP script with something like:

ErrorDocument 404 /404.php

and then let a script like this waste the attacker's time:

<?
  echo "404 This page is not available.\n";
  flush();
  sleep(150);
?>

This should slow the scanning and thus the waste of bandwidth and spread
rate of the infections down. At least, if the worm is single threaded.

Iljitsch van Beijnum

Current thread:

Re: Worm probes, (continued)
- - - Re: Worm probes sigma (Sep 18)
    - Re: Worm probes Valdis . Kletnieks (Sep 18)
    - RE: Worm probes Eric Germann (Sep 18)
    - Re: Worm probes Ulf Zimmermann (Sep 18)
    - Re: Worm probes k claffy (Sep 18)
    - Re: Worm probes Joe Abley (Sep 18)
- Re: Worm probes Daniel Senie (Sep 18)
- Re: Worm probes Hermann Wecke (Sep 18)
- Re: Worm probes Joseph McDonald (Sep 18)
  - Re: Worm probes Daniel Senie (Sep 18)
  - Re: Worm probes Iljitsch van Beijnum (Sep 18)
    - Re: Worm probes M. David Leonard (Sep 19)
    - Re: Worm probes Brett Frankenberger (Sep 19)
  - Re: Worm probes z (Sep 18)
  - Re[2]: Worm probes David Ulevitch (Sep 18)
    - Re: Re[2]: Worm probes Nick Thompson (Sep 18)
    - Re: Re[2]: Worm probes Rafi Sadowsky (Sep 18)
  - Re: Worm probes Jeff Gehlbach (Sep 18)
- RE: Worm probes Don Lundquist (Sep 18)
- RE: Worm probes Smith, Rick (Sep 18)
  - Re: Worm probes Ulf Zimmermann (Sep 18)

(Thread continues...)