Skip site navigation (1)Skip section navigation (2) 
Date:      Sun, 23 Sep 2001 20:57:18 -0400 (EDT)
From:      Chris BeHanna <behanna@zbzoom.net>
To:        David G Andersen <danderse@cs.utah.edu>
Cc:        Chris Byrnes <chris@JEAH.net>, <security@FreeBSD.ORG>
Subject:   Re: New worm protection
Message-ID:  <20010923205118.Y52704-100000@topperwein.dyndns.org>
In-Reply-To: <200109230836.f8N8akx29012@faith.cs.utah.edu>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Sun, 23 Sep 2001, David G Andersen wrote:

> Lo and behold, Chris Byrnes once said:
> >
> > Has anyone written an easy-to-use ipfw rule or some kind of script that will
> > help with this new worm?
>
> Someone already pointed out disabling logging on your webserver.
>
> He also suggested a Tarpit-like approach.  I like the following
> simple script, which is what I run on my webservers.
>
> mkdir DOCROOT/scripts
> # Cover the two alternate bits as well
> ln -s DOCROOT/scripts DOCROOT/_mem_bin
> ln -s DOCROOT/scripts DOCROOT/_vti_bin
>
> cat > DOCROOT/scripts/.htaccess
> ErrorDocument 404 /scripts/nph-foo.cgi
> <EOF>
>
> cat > DOCROOT/scripts/nph-foo.cgi
> #!/usr/bin/perl
> sleep(5);
> exit(0);
> <EOF>
>
> NIMDA doesn't hang out for very long waiting for a response
> to the script headers, so a labrea-tarpit like approach won't
> actually be particularly effective.

    I had a thought that since the initial request was for a directory
listing of a Windows C: drive, that I'd give one to him.

    One byte per second.

    I don't know if NIMDA will time out after I send the initial
headers, but if not, then I could potentially tarpit one for a couple
of hours.  :-)

    The trouble with triggering ipfw/ipchain rules is that as the
ruleset gets large, network performance gets slow (rulesets are
searched linearly).  A nice compromisse would be to gather statistics
on the attackers and just firewall out the top 10 or 20 or so.

    The trouble with attempting to send a remote shutdown is that it's
illegal (breaking into someone else's machine to run a program and all).

    Of course, if you have some unused IP addresses, there is always
La Brea.  :-)

-- 
Chris BeHanna
Software Engineer                   (Remove "bogus" before responding.)
behanna@bogus.zbzoom.net
I was raised by a pack of wild corn dogs.


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010923205118.Y52704-100000>