From owner-freebsd-security  Sun Sep 23  6: 9:21 2001
Delivered-To: freebsd-security@freebsd.org
Received: from bogslab.ucdavis.edu (bogslab.ucdavis.edu [169.237.68.34])
	by hub.freebsd.org (Postfix) with ESMTP id 19B9E37B40B
	for <security@FreeBSD.ORG>; Sun, 23 Sep 2001 06:09:15 -0700 (PDT)
Received: from thistle.bogs.org (thistle.bogs.org [198.137.203.61])
	by bogslab.ucdavis.edu (8.9.3/8.9.3) with ESMTP id GAA20291
	for <security@FreeBSD.ORG>; Sun, 23 Sep 2001 06:09:08 -0700 (PDT)
	(envelope-from greg@bogslab.ucdavis.edu)
Received: from thistle.bogs.org (localhost [127.0.0.1])
	by thistle.bogs.org (8.11.3/8.11.3) with ESMTP id f8ND72A10817
	for <security@FreeBSD.ORG>; Sun, 23 Sep 2001 06:07:03 -0700 (PDT)
	(envelope-from greg@thistle.bogs.org)
Message-Id: <200109231307.f8ND72A10817@thistle.bogs.org>
To: security@FreeBSD.ORG
X-To: David G Andersen <danderse@cs.utah.edu>
X-Sender: owner-freebsd-security@FreeBSD.ORG 
Subject: Re: New worm protection 
In-reply-to: Your message of "Sun, 23 Sep 2001 02:36:46 MDT."
             <200109230836.f8N8akx29012@faith.cs.utah.edu> 
Reply-To: gkshenaut@ucdavis.edu
Date: Sun, 23 Sep 2001 06:07:01 -0700
From: Greg Shenaut <greg@bogslab.ucdavis.edu>
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

In message <200109230836.f8N8akx29012@faith.cs.utah.edu>, David G Andersen cleopede:
>I like the following
>simple script, which is what I run on my webservers.
>
[script using a sleep(5) for delay purposes]
>
>NIMDA doesn't hang out for very long waiting for a response
>to the script headers, so a labrea-tarpit like approach won't
>actually be particularly effective.  The sleep(5) will slow
>it down a little bit, and the exit(0) will make it
>return with no data sent back, not even a 404.  Which
>will help a bit on the outbound bandwidth, but, of course
>won't help on the inbound.  Others have posted scripts to
>NANOG (see http://www.nanog.org/ and check the archive)
>that will automatically trigger ipfw / ipchains additions,
>but, as always, be particularly careful with those.

What would be the effect of having the web server ignore (as in,
make no response at all to) *any* attempt to GET a nonexistent
file? It seems to me that this would delay things maximally for
the attacker with the least effort at the server end.  But I
am concerned about the effect on innocent mistypers and web
crawling search engines (but not too concerned, frankly).

Greg Shenaut

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message