Date: Sun, 23 Sep 2001 06:07:01 -0700 From: Greg Shenaut <greg@bogslab.ucdavis.edu> To: security@FreeBSD.ORG Subject: Re: New worm protection Message-ID: <200109231307.f8ND72A10817@thistle.bogs.org> In-Reply-To: Your message of "Sun, 23 Sep 2001 02:36:46 MDT." <200109230836.f8N8akx29012@faith.cs.utah.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
In message <200109230836.f8N8akx29012@faith.cs.utah.edu>, David G Andersen cleopede: >I like the following >simple script, which is what I run on my webservers. > [script using a sleep(5) for delay purposes] > >NIMDA doesn't hang out for very long waiting for a response >to the script headers, so a labrea-tarpit like approach won't >actually be particularly effective. The sleep(5) will slow >it down a little bit, and the exit(0) will make it >return with no data sent back, not even a 404. Which >will help a bit on the outbound bandwidth, but, of course >won't help on the inbound. Others have posted scripts to >NANOG (see http://www.nanog.org/ and check the archive) >that will automatically trigger ipfw / ipchains additions, >but, as always, be particularly careful with those. What would be the effect of having the web server ignore (as in, make no response at all to) *any* attempt to GET a nonexistent file? It seems to me that this would delay things maximally for the attacker with the least effort at the server end. But I am concerned about the effect on innocent mistypers and web crawling search engines (but not too concerned, frankly). Greg Shenaut To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200109231307.f8ND72A10817>