Date: Sun, 23 Sep 2001 20:57:18 -0400 (EDT) From: Chris BeHanna <behanna@zbzoom.net> To: David G Andersen <danderse@cs.utah.edu> Cc: Chris Byrnes <chris@JEAH.net>, <security@FreeBSD.ORG> Subject: Re: New worm protection Message-ID: <20010923205118.Y52704-100000@topperwein.dyndns.org> In-Reply-To: <200109230836.f8N8akx29012@faith.cs.utah.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, 23 Sep 2001, David G Andersen wrote: > Lo and behold, Chris Byrnes once said: > > > > Has anyone written an easy-to-use ipfw rule or some kind of script that will > > help with this new worm? > > Someone already pointed out disabling logging on your webserver. > > He also suggested a Tarpit-like approach. I like the following > simple script, which is what I run on my webservers. > > mkdir DOCROOT/scripts > # Cover the two alternate bits as well > ln -s DOCROOT/scripts DOCROOT/_mem_bin > ln -s DOCROOT/scripts DOCROOT/_vti_bin > > cat > DOCROOT/scripts/.htaccess > ErrorDocument 404 /scripts/nph-foo.cgi > <EOF> > > cat > DOCROOT/scripts/nph-foo.cgi > #!/usr/bin/perl > sleep(5); > exit(0); > <EOF> > > NIMDA doesn't hang out for very long waiting for a response > to the script headers, so a labrea-tarpit like approach won't > actually be particularly effective. I had a thought that since the initial request was for a directory listing of a Windows C: drive, that I'd give one to him. One byte per second. I don't know if NIMDA will time out after I send the initial headers, but if not, then I could potentially tarpit one for a couple of hours. :-) The trouble with triggering ipfw/ipchain rules is that as the ruleset gets large, network performance gets slow (rulesets are searched linearly). A nice compromisse would be to gather statistics on the attackers and just firewall out the top 10 or 20 or so. The trouble with attempting to send a remote shutdown is that it's illegal (breaking into someone else's machine to run a program and all). Of course, if you have some unused IP addresses, there is always La Brea. :-) -- Chris BeHanna Software Engineer (Remove "bogus" before responding.) behanna@bogus.zbzoom.net I was raised by a pack of wild corn dogs. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010923205118.Y52704-100000>