Date: Sun, 23 Sep 2001 02:08:19 -0400 (EDT) From: Chris BeHanna <behanna@zbzoom.net> To: Chris Byrnes <chris@JEAH.net> Cc: <security@freebsd.org> Subject: Re: New worm protection Message-ID: <20010923014113.P45913-100000@topperwein.dyndns.org> In-Reply-To: <006701c141dd$8f185940$24f2fa18@mdsn1.wi.home.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 20 Sep 2001, Chris Byrnes wrote: > Has anyone written an easy-to-use ipfw rule or some kind of script that will > help with this new worm? There's La Brea, but that's probably not quite what you're looking for. > I have restricted Apache to just listen to my main two web IPs > instead of all of the IPs (I have hundreds of domains and each of > them previously had its own IP for different reasons), and that's > cut down the bandwidth use in half, but I'm still about double what > my daily normal bandwidth usage is. As others have posted, you can tell Apache not to log certain requests. That will help your logfile. To avoid wasting bandwidth sending a 404, you could possibly either use mod_rewrite or an ErrorDocument CGI script to "tarpit" the attacks; i.e., redirect the request to a CGI script that sets MSS to a few bytes (a lá La Brea), pretending to legitimately service the request. Be careful: you will have to watch the number of sockets you have open and the number of threads you tie up in this manner. Perhaps someone with more time than I have can author up a "mod_NIMDA" that can be configured with a max # of threads or max# connections to tarpit in this fashion, so that you can limit the amount of resources that you use. Any inbound attacks in excess of these limits can simply be dropped on the floor. > Frustration is high, and money issues are going to surface soon. > Any help would be appreciated. This is the best I can do with the time I have available. I'm in the middle of combatting this problem with a proxy server that is under attack (for which I have access to the source). My solution is to do regex parsing on the request using Boost's regex++ (see http://www.boost.org) to drop the requests on the floor (i.e., I'm not even going to dignify them with a 404), but keep a hash map of requesting IP addresses and number of attacks, which periodically gets dumped to a separate logfile. I'd use regex() and regcmp(), but this also has to run on Windows. Unfortunately, I can't share the source, but this description should be enough to get you going. Fortunately, I've seen the rate of NIMDA attacks drop by a factor of four over the last couple of days. Either IIS webmasters are getting a clue, or their ISPs are being clueful for them (DSL.net, for example, is shutting off their infected customers until those customers demonstrate that they've fixed their servers). -- Chris BeHanna Software Engineer (Remove "bogus" before responding.) behanna@bogus.zbzoom.net I was raised by a pack of wild corn dogs. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010923014113.P45913-100000>