From owner-freebsd-security  Sun Sep 23 10:17:45 2001
Delivered-To: freebsd-security@freebsd.org
Received: from virtual-voodoo.com (bdsl.66.12.217.106.gte.net [66.12.217.106])
	by hub.freebsd.org (Postfix) with ESMTP id CE57137B40E
	for <security@FreeBSD.ORG>; Sun, 23 Sep 2001 10:17:40 -0700 (PDT)
Received: (from steve@localhost)
	by virtual-voodoo.com (8.11.6/8.11.5) id f8NHHWh34820;
	Sun, 23 Sep 2001 12:17:32 -0500 (EST)
	(envelope-from steve)
Date: Sun, 23 Sep 2001 12:17:32 -0500
From: Steve Ames <steve@virtual-voodoo.com>
To: Chris BeHanna <behanna@zbzoom.net>
Cc: Chris Byrnes <chris@JEAH.net>, security@FreeBSD.ORG
Subject: Re: New worm protection
Message-ID: <20010923121732.B56611@virtual-voodoo.com>
References: <006701c141dd$8f185940$24f2fa18@mdsn1.wi.home.com> <20010923014113.P45913-100000@topperwein.dyndns.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20010923014113.P45913-100000@topperwein.dyndns.org>
User-Agent: Mutt/1.3.22.1i
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

One simple shell script and you can automatically add offendors
to your ipfw ruleset. Won't stop the initial probe but will stop
repeat performances.

I use the following run out of cron every minute:


#!/bin/sh
cd /root
grep cmd.exe /var/log/httpd-error.log | awk '{print $8;}' | sort -u | awk -F\] '{printf(" /sbin/ipfw add deny ip from %s to any\n ",$1);}' > l && cat /var/log/httpd-error.log >> /var/log/httpd-error.log.new && cat /dev/null > /var/log/httpd-error.log
/bin/sh l && /bin/rm l

Short and simple. Its not perfect but it has reduced my bandwidth quite a
bit.

-Steve


On Sun, Sep 23, 2001 at 02:08:19AM -0400, Chris BeHanna wrote:
> On Thu, 20 Sep 2001, Chris Byrnes wrote:
> 
> > Has anyone written an easy-to-use ipfw rule or some kind of script that will
> > help with this new worm?
> 
>     There's La Brea, but that's probably not quite what you're looking
> for.
> 
> > I have restricted Apache to just listen to my main two web IPs
> > instead of all of the IPs (I have hundreds of domains and each of
> > them previously had its own IP for different reasons), and that's
> > cut down the bandwidth use in half, but I'm still about double what
> > my daily normal bandwidth usage is.
> 
>     As others have posted, you can tell Apache not to log certain
> requests.  That will help your logfile.
> 
>     To avoid wasting bandwidth sending a 404, you could possibly
> either use mod_rewrite or an ErrorDocument CGI script to "tarpit" the
> attacks; i.e., redirect the request to a CGI script that sets MSS to a
> few bytes (a l? La Brea), pretending to legitimately service the
> request.  Be careful:  you will have to watch the number of sockets
> you have open and the number of threads you tie up in this manner.
> Perhaps someone with more time than I have can author up a "mod_NIMDA"
> that can be configured with a max # of threads or max# connections to
> tarpit in this fashion, so that you can limit the amount of resources
> that you use.  Any inbound attacks in excess of these limits can
> simply be dropped on the floor.
> 
> > Frustration is high, and money issues are going to surface soon.
> > Any help would be appreciated.
> 
>     This is the best I can do with the time I have available.  I'm in
> the middle of combatting this problem with a proxy server that is
> under attack (for which I have access to the source).  My solution is
> to do regex parsing on the request using Boost's regex++ (see
> http://www.boost.org) to drop the requests on the floor (i.e., I'm not
> even going to dignify them with a 404), but keep a hash map of
> requesting IP addresses and number of attacks, which periodically gets
> dumped to a separate logfile.  I'd use regex() and regcmp(), but this
> also has to run on Windows.  Unfortunately, I can't share the source,
> but this description should be enough to get you going.
> 
>     Fortunately, I've seen the rate of NIMDA attacks drop by a factor
> of four over the last couple of days.  Either IIS webmasters are
> getting a clue, or their ISPs are being clueful for them (DSL.net, for
> example, is shutting off their infected customers until those
> customers demonstrate that they've fixed their servers).
> 
> -- 
> Chris BeHanna
> Software Engineer                   (Remove "bogus" before responding.)
> behanna@bogus.zbzoom.net
> I was raised by a pack of wild corn dogs.
> 
> 
> 
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message