Date: Tue, 18 Sep 2001 23:48:38 +0200 From: "Karsten W. Rohrbach" <karsten@rohrbach.de> To: Chris Faulhaber <jedgar@fxp.org>, Jim Arnold <jim@ohio.com>, freebsd-security@freebsd.org Subject: Re: Nimda-A Worm/Virus threatens networks Message-ID: <20010918234838.T33432@mail.webmonster.de> In-Reply-To: <20010918173115.A53937@peitho.fxp.org>; from jedgar@fxp.org on Tue, Sep 18, 2001 at 05:31:15PM -0400 References: <20010918195218.P27375@mail.webmonster.de> <a05100308b7cd4104a941@[206.128.102.10]> <20010918203128.B33432@mail.webmonster.de> <20010918173115.A53937@peitho.fxp.org>
next in thread | previous in thread | raw e-mail | index | archive | help
[-- Attachment #1 --]
Chris Faulhaber(jedgar@fxp.org)@2001.09.18 17:31:15 +0000:
> On Tue, Sep 18, 2001 at 08:31:28PM +0200, Karsten W. Rohrbach wrote:
> > Jim Arnold(jim@ohio.com)@2001.09.18 14:21:50 +0000:
> > > i am running an apache server on linux. how do i stop it from gobbling
> > > all my bandwidth? i'm being hit by dozens of different servers.
> >
> > you might configure your 404 error handler to spit out a very small
> > file (for example containing just one space character '%20').
> >
> > mod_throttle or other bandwidth control tools will not help, since the
> > worm hits each server it scan with a list of several uris and that's
> > pretty it.
> >
> > if the worm catches a 404 http error it will cease scanning this
> > particular system. bad, that it does not honor redirect requests ;-)
> >
>
> I tend to disagree with the next-to-last sentence. I have logged
> over 6600 requests from 37 unique hosts in the class B on which
> my box is located, each request generating a 404. These requests
> are pretty much generating a constant stream of log entries.
> While the bandwidth doesn't seem to be an issue here, and apache's
> CPU usage is 0.00 (server is a Pentium 166), my logs are bulging.
correct. my preliminary analysis of the worms behaviour was wrong.
it does NOT stop after catching 404. i was mislead by several boxes in
the colo where some of my servers are housed. they apparently shut down
several of the attacking iis servers while i was still staring at the
logs.
when it comes to log management, you could use grep as a pipe logger,
together with djb's multilog from daemontools:
ErrorLog "|exec grep -v 'File does not exist:' \
| setuidgid loguser multilog s1000000 n10 /path/to/errorlog"
which would log everything that's not "file not found" for the httpd
which normally would throw the 404 to another pipe into multilog which
runs under uid of loguser and puts the log output in /path/to/errorlog
while rotating the logs each 1000000 bytes, keeping 10 logs in history,
thus limiting disk usage. /path/to/errorlog is a directory.
you could also do
ErrorLog "|exec grep -v 'File does not exist:' >/path/to/error_log"
this would log less output to the errorlog but you would have to rotate
it yourself.
but anyway, you got to do any log management on every server that's out
there. not just httpds but every other daemon's logs, too...
/k
--
> A truly wise man never plays leapfrog with a unicorn.
KR433/KR11-RIPE -- WebMonster Community Founder -- nGENn GmbH Senior Techie
http://www.webmonster.de/ -- ftp://ftp.webmonster.de/ -- http://www.ngenn.net/
karsten&rohrbach.de -- alpha&ngenn.net -- alpha&scene.org -- catch@spam.de
GnuPG 0x2964BF46 2001-03-15 42F9 9FFF 50D4 2F38 DBEE DF22 3340 4F4E 2964 BF46
Please do not remove my address from To: and Cc: fields in mailing lists. 10x
[-- Attachment #2 --]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (FreeBSD)
Comment: For info see http://www.gnupg.org
iD8DBQE7p8E2M0BPTilkv0YRApG5AJsELRfRFvjn8b3fj9hoUqkkbuJxTgCfafWI
LU6vzk8BinlH5cw2F5oeTM0=
=obEG
-----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010918234838.T33432>