Date: Sun, 23 Sep 2001 02:08:19 -0400 (EDT) From: Chris BeHanna <behanna@zbzoom.net> To: Chris Byrnes <chris@JEAH.net> Cc: <security@freebsd.org> Subject: Re: New worm protection Message-ID: <20010923014113.P45913-100000@topperwein.dyndns.org> In-Reply-To: <006701c141dd$8f185940$24f2fa18@mdsn1.wi.home.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 20 Sep 2001, Chris Byrnes wrote:
> Has anyone written an easy-to-use ipfw rule or some kind of script that will
> help with this new worm?
There's La Brea, but that's probably not quite what you're looking
for.
> I have restricted Apache to just listen to my main two web IPs
> instead of all of the IPs (I have hundreds of domains and each of
> them previously had its own IP for different reasons), and that's
> cut down the bandwidth use in half, but I'm still about double what
> my daily normal bandwidth usage is.
As others have posted, you can tell Apache not to log certain
requests. That will help your logfile.
To avoid wasting bandwidth sending a 404, you could possibly
either use mod_rewrite or an ErrorDocument CGI script to "tarpit" the
attacks; i.e., redirect the request to a CGI script that sets MSS to a
few bytes (a lá La Brea), pretending to legitimately service the
request. Be careful: you will have to watch the number of sockets
you have open and the number of threads you tie up in this manner.
Perhaps someone with more time than I have can author up a "mod_NIMDA"
that can be configured with a max # of threads or max# connections to
tarpit in this fashion, so that you can limit the amount of resources
that you use. Any inbound attacks in excess of these limits can
simply be dropped on the floor.
> Frustration is high, and money issues are going to surface soon.
> Any help would be appreciated.
This is the best I can do with the time I have available. I'm in
the middle of combatting this problem with a proxy server that is
under attack (for which I have access to the source). My solution is
to do regex parsing on the request using Boost's regex++ (see
http://www.boost.org) to drop the requests on the floor (i.e., I'm not
even going to dignify them with a 404), but keep a hash map of
requesting IP addresses and number of attacks, which periodically gets
dumped to a separate logfile. I'd use regex() and regcmp(), but this
also has to run on Windows. Unfortunately, I can't share the source,
but this description should be enough to get you going.
Fortunately, I've seen the rate of NIMDA attacks drop by a factor
of four over the last couple of days. Either IIS webmasters are
getting a clue, or their ISPs are being clueful for them (DSL.net, for
example, is shutting off their infected customers until those
customers demonstrate that they've fixed their servers).
--
Chris BeHanna
Software Engineer (Remove "bogus" before responding.)
behanna@bogus.zbzoom.net
I was raised by a pack of wild corn dogs.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010923014113.P45913-100000>