nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Worm probes

From: "M. David Leonard" <mdl () equinox shaysnet com>
Date: Wed, 19 Sep 2001 11:02:52 -0400 (EDT)



        I'm gonna suggest this one more time:  LaBrea, from

http://www.threenorth.com/LaBrea

should make these attacks slow down like they're wading through 
molasses.  Now, if most or all ISPs installed tarpits like this it would 
seriously reduce the virulence of the attacks.  Just my $0.02 worth.



                                        David Leonard
                                        ShaysNet

On Tue, 18 Sep 2001, Iljitsch van Beijnum wrote:



On Tue, 18 Sep 2001, Joseph McDonald wrote:


Yes. We are seeing it here bigtime.  Does anyone have any apache hacks
to lessen the impact?  One idea:  Once a probe is sent, the prober's
IP# is stored in a hash (perhaps in shared memory or a mmap'd file
that all children can share) and new connections from that IP are no
longer accepted.


Or what about this: redirect your 404 to a PHP script with something like:

ErrorDocument 404 /404.php

and then let a script like this waste the attacker's time:

<?
  echo "404 This page is not available.\n";
  flush();
  sleep(150);
?>

This should slow the scanning and thus the waste of bandwidth and spread
rate of the infections down. At least, if the worm is single threaded.

Iljitsch van Beijnum
Previous By Date Next
Previous By Thread Next

Current thread: