[42619] in North American Network Operators' Group
Re: Worm probes
daemon@ATHENA.MIT.EDU (Iljitsch van Beijnum)
Tue Sep 18 14:00:19 2001
Date: Tue, 18 Sep 2001 19:36:27 +0200 (CEST)
From: Iljitsch van Beijnum <iljitsch@muada.com>
To: Joseph McDonald <joe@vpop.net>
Cc: <nanog@merit.edu>
In-Reply-To: <122071095343.20010918095143@vpop.net>
Message-ID: <20010918192000.H22074-100000@sequoia.muada.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Errors-To: owner-nanog-outgoing@merit.edu
On Tue, 18 Sep 2001, Joseph McDonald wrote:
> Yes. We are seeing it here bigtime. Does anyone have any apache hacks
> to lessen the impact? One idea: Once a probe is sent, the prober's
> IP# is stored in a hash (perhaps in shared memory or a mmap'd file
> that all children can share) and new connections from that IP are no
> longer accepted.
Or what about this: redirect your 404 to a PHP script with something like:
ErrorDocument 404 /404.php
and then let a script like this waste the attacker's time:
<?
echo "404 This page is not available.\n";
flush();
sleep(150);
?>
This should slow the scanning and thus the waste of bandwidth and spread
rate of the infections down. At least, if the worm is single threaded.
Iljitsch van Beijnum
