Date: Sun, 23 Sep 2001 12:17:32 -0500 From: Steve Ames <steve@virtual-voodoo.com> To: Chris BeHanna <behanna@zbzoom.net> Cc: Chris Byrnes <chris@JEAH.net>, security@FreeBSD.ORG Subject: Re: New worm protection Message-ID: <20010923121732.B56611@virtual-voodoo.com> In-Reply-To: <20010923014113.P45913-100000@topperwein.dyndns.org> References: <006701c141dd$8f185940$24f2fa18@mdsn1.wi.home.com> <20010923014113.P45913-100000@topperwein.dyndns.org>
next in thread | previous in thread | raw e-mail | index | archive | help
One simple shell script and you can automatically add offendors
to your ipfw ruleset. Won't stop the initial probe but will stop
repeat performances.
I use the following run out of cron every minute:
#!/bin/sh
cd /root
grep cmd.exe /var/log/httpd-error.log | awk '{print $8;}' | sort -u | awk -F\] '{printf(" /sbin/ipfw add deny ip from %s to any\n ",$1);}' > l && cat /var/log/httpd-error.log >> /var/log/httpd-error.log.new && cat /dev/null > /var/log/httpd-error.log
/bin/sh l && /bin/rm l
Short and simple. Its not perfect but it has reduced my bandwidth quite a
bit.
-Steve
On Sun, Sep 23, 2001 at 02:08:19AM -0400, Chris BeHanna wrote:
> On Thu, 20 Sep 2001, Chris Byrnes wrote:
>
> > Has anyone written an easy-to-use ipfw rule or some kind of script that will
> > help with this new worm?
>
> There's La Brea, but that's probably not quite what you're looking
> for.
>
> > I have restricted Apache to just listen to my main two web IPs
> > instead of all of the IPs (I have hundreds of domains and each of
> > them previously had its own IP for different reasons), and that's
> > cut down the bandwidth use in half, but I'm still about double what
> > my daily normal bandwidth usage is.
>
> As others have posted, you can tell Apache not to log certain
> requests. That will help your logfile.
>
> To avoid wasting bandwidth sending a 404, you could possibly
> either use mod_rewrite or an ErrorDocument CGI script to "tarpit" the
> attacks; i.e., redirect the request to a CGI script that sets MSS to a
> few bytes (a l? La Brea), pretending to legitimately service the
> request. Be careful: you will have to watch the number of sockets
> you have open and the number of threads you tie up in this manner.
> Perhaps someone with more time than I have can author up a "mod_NIMDA"
> that can be configured with a max # of threads or max# connections to
> tarpit in this fashion, so that you can limit the amount of resources
> that you use. Any inbound attacks in excess of these limits can
> simply be dropped on the floor.
>
> > Frustration is high, and money issues are going to surface soon.
> > Any help would be appreciated.
>
> This is the best I can do with the time I have available. I'm in
> the middle of combatting this problem with a proxy server that is
> under attack (for which I have access to the source). My solution is
> to do regex parsing on the request using Boost's regex++ (see
> http://www.boost.org) to drop the requests on the floor (i.e., I'm not
> even going to dignify them with a 404), but keep a hash map of
> requesting IP addresses and number of attacks, which periodically gets
> dumped to a separate logfile. I'd use regex() and regcmp(), but this
> also has to run on Windows. Unfortunately, I can't share the source,
> but this description should be enough to get you going.
>
> Fortunately, I've seen the rate of NIMDA attacks drop by a factor
> of four over the last couple of days. Either IIS webmasters are
> getting a clue, or their ISPs are being clueful for them (DSL.net, for
> example, is shutting off their infected customers until those
> customers demonstrate that they've fixed their servers).
>
> --
> Chris BeHanna
> Software Engineer (Remove "bogus" before responding.)
> behanna@bogus.zbzoom.net
> I was raised by a pack of wild corn dogs.
>
>
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010923121732.B56611>