Date: Sun, 23 Sep 2001 12:17:32 -0500 From: Steve Ames <steve@virtual-voodoo.com> To: Chris BeHanna <behanna@zbzoom.net> Cc: Chris Byrnes <chris@JEAH.net>, security@FreeBSD.ORG Subject: Re: New worm protection Message-ID: <20010923121732.B56611@virtual-voodoo.com> In-Reply-To: <20010923014113.P45913-100000@topperwein.dyndns.org> References: <006701c141dd$8f185940$24f2fa18@mdsn1.wi.home.com> <20010923014113.P45913-100000@topperwein.dyndns.org>
next in thread | previous in thread | raw e-mail | index | archive | help
One simple shell script and you can automatically add offendors to your ipfw ruleset. Won't stop the initial probe but will stop repeat performances. I use the following run out of cron every minute: #!/bin/sh cd /root grep cmd.exe /var/log/httpd-error.log | awk '{print $8;}' | sort -u | awk -F\] '{printf(" /sbin/ipfw add deny ip from %s to any\n ",$1);}' > l && cat /var/log/httpd-error.log >> /var/log/httpd-error.log.new && cat /dev/null > /var/log/httpd-error.log /bin/sh l && /bin/rm l Short and simple. Its not perfect but it has reduced my bandwidth quite a bit. -Steve On Sun, Sep 23, 2001 at 02:08:19AM -0400, Chris BeHanna wrote: > On Thu, 20 Sep 2001, Chris Byrnes wrote: > > > Has anyone written an easy-to-use ipfw rule or some kind of script that will > > help with this new worm? > > There's La Brea, but that's probably not quite what you're looking > for. > > > I have restricted Apache to just listen to my main two web IPs > > instead of all of the IPs (I have hundreds of domains and each of > > them previously had its own IP for different reasons), and that's > > cut down the bandwidth use in half, but I'm still about double what > > my daily normal bandwidth usage is. > > As others have posted, you can tell Apache not to log certain > requests. That will help your logfile. > > To avoid wasting bandwidth sending a 404, you could possibly > either use mod_rewrite or an ErrorDocument CGI script to "tarpit" the > attacks; i.e., redirect the request to a CGI script that sets MSS to a > few bytes (a l? La Brea), pretending to legitimately service the > request. Be careful: you will have to watch the number of sockets > you have open and the number of threads you tie up in this manner. > Perhaps someone with more time than I have can author up a "mod_NIMDA" > that can be configured with a max # of threads or max# connections to > tarpit in this fashion, so that you can limit the amount of resources > that you use. Any inbound attacks in excess of these limits can > simply be dropped on the floor. > > > Frustration is high, and money issues are going to surface soon. > > Any help would be appreciated. > > This is the best I can do with the time I have available. I'm in > the middle of combatting this problem with a proxy server that is > under attack (for which I have access to the source). My solution is > to do regex parsing on the request using Boost's regex++ (see > http://www.boost.org) to drop the requests on the floor (i.e., I'm not > even going to dignify them with a 404), but keep a hash map of > requesting IP addresses and number of attacks, which periodically gets > dumped to a separate logfile. I'd use regex() and regcmp(), but this > also has to run on Windows. Unfortunately, I can't share the source, > but this description should be enough to get you going. > > Fortunately, I've seen the rate of NIMDA attacks drop by a factor > of four over the last couple of days. Either IIS webmasters are > getting a clue, or their ISPs are being clueful for them (DSL.net, for > example, is shutting off their infected customers until those > customers demonstrate that they've fixed their servers). > > -- > Chris BeHanna > Software Engineer (Remove "bogus" before responding.) > behanna@bogus.zbzoom.net > I was raised by a pack of wild corn dogs. > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010923121732.B56611>