Date: Sun, 23 Sep 2001 20:57:18 -0400 (EDT) From: Chris BeHanna <behanna@zbzoom.net> To: David G Andersen <danderse@cs.utah.edu> Cc: Chris Byrnes <chris@JEAH.net>, <security@FreeBSD.ORG> Subject: Re: New worm protection Message-ID: <20010923205118.Y52704-100000@topperwein.dyndns.org> In-Reply-To: <200109230836.f8N8akx29012@faith.cs.utah.edu>
index | next in thread | previous in thread | raw e-mail
On Sun, 23 Sep 2001, David G Andersen wrote:
> Lo and behold, Chris Byrnes once said:
> >
> > Has anyone written an easy-to-use ipfw rule or some kind of script that will
> > help with this new worm?
>
> Someone already pointed out disabling logging on your webserver.
>
> He also suggested a Tarpit-like approach. I like the following
> simple script, which is what I run on my webservers.
>
> mkdir DOCROOT/scripts
> # Cover the two alternate bits as well
> ln -s DOCROOT/scripts DOCROOT/_mem_bin
> ln -s DOCROOT/scripts DOCROOT/_vti_bin
>
> cat > DOCROOT/scripts/.htaccess
> ErrorDocument 404 /scripts/nph-foo.cgi
> <EOF>
>
> cat > DOCROOT/scripts/nph-foo.cgi
> #!/usr/bin/perl
> sleep(5);
> exit(0);
> <EOF>
>
> NIMDA doesn't hang out for very long waiting for a response
> to the script headers, so a labrea-tarpit like approach won't
> actually be particularly effective.
I had a thought that since the initial request was for a directory
listing of a Windows C: drive, that I'd give one to him.
One byte per second.
I don't know if NIMDA will time out after I send the initial
headers, but if not, then I could potentially tarpit one for a couple
of hours. :-)
The trouble with triggering ipfw/ipchain rules is that as the
ruleset gets large, network performance gets slow (rulesets are
searched linearly). A nice compromisse would be to gather statistics
on the attackers and just firewall out the top 10 or 20 or so.
The trouble with attempting to send a remote shutdown is that it's
illegal (breaking into someone else's machine to run a program and all).
Of course, if you have some unused IP addresses, there is always
La Brea. :-)
--
Chris BeHanna
Software Engineer (Remove "bogus" before responding.)
behanna@bogus.zbzoom.net
I was raised by a pack of wild corn dogs.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
home |
help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010923205118.Y52704-100000>