From owner-freebsd-security Sun Sep 23 17:56:59 2001 Delivered-To: freebsd-security@freebsd.org Received: from topperwein.dyndns.org (acs-24-154-28-172.zoominternet.net [24.154.28.172]) by hub.freebsd.org (Postfix) with ESMTP id 5019A37B439 for ; Sun, 23 Sep 2001 17:56:55 -0700 (PDT) Received: from topperwein.dyndns.org (topperwein.dyndns.org [192.168.168.10]) by topperwein.dyndns.org (8.11.6/8.11.6) with ESMTP id f8O0vN252830; Sun, 23 Sep 2001 20:57:23 -0400 (EDT) (envelope-from behanna@zbzoom.net) Date: Sun, 23 Sep 2001 20:57:18 -0400 (EDT) From: Chris BeHanna Reply-To: Chris BeHanna To: David G Andersen Cc: Chris Byrnes , Subject: Re: New worm protection In-Reply-To: <200109230836.f8N8akx29012@faith.cs.utah.edu> Message-ID: <20010923205118.Y52704-100000@topperwein.dyndns.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sun, 23 Sep 2001, David G Andersen wrote: > Lo and behold, Chris Byrnes once said: > > > > Has anyone written an easy-to-use ipfw rule or some kind of script that will > > help with this new worm? > > Someone already pointed out disabling logging on your webserver. > > He also suggested a Tarpit-like approach. I like the following > simple script, which is what I run on my webservers. > > mkdir DOCROOT/scripts > # Cover the two alternate bits as well > ln -s DOCROOT/scripts DOCROOT/_mem_bin > ln -s DOCROOT/scripts DOCROOT/_vti_bin > > cat > DOCROOT/scripts/.htaccess > ErrorDocument 404 /scripts/nph-foo.cgi > > > cat > DOCROOT/scripts/nph-foo.cgi > #!/usr/bin/perl > sleep(5); > exit(0); > > > NIMDA doesn't hang out for very long waiting for a response > to the script headers, so a labrea-tarpit like approach won't > actually be particularly effective. I had a thought that since the initial request was for a directory listing of a Windows C: drive, that I'd give one to him. One byte per second. I don't know if NIMDA will time out after I send the initial headers, but if not, then I could potentially tarpit one for a couple of hours. :-) The trouble with triggering ipfw/ipchain rules is that as the ruleset gets large, network performance gets slow (rulesets are searched linearly). A nice compromisse would be to gather statistics on the attackers and just firewall out the top 10 or 20 or so. The trouble with attempting to send a remote shutdown is that it's illegal (breaking into someone else's machine to run a program and all). Of course, if you have some unused IP addresses, there is always La Brea. :-) -- Chris BeHanna Software Engineer (Remove "bogus" before responding.) behanna@bogus.zbzoom.net I was raised by a pack of wild corn dogs. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message