|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: Worm probes
On Tue, 18 Sep 2001, Joseph McDonald wrote: > Yes. We are seeing it here bigtime. Does anyone have any apache hacks > to lessen the impact? One idea: Once a probe is sent, the prober's > IP# is stored in a hash (perhaps in shared memory or a mmap'd file > that all children can share) and new connections from that IP are no > longer accepted. Or what about this: redirect your 404 to a PHP script with something like: ErrorDocument 404 /404.php and then let a script like this waste the attacker's time: <? echo "404 This page is not available.\n"; flush(); sleep(150); ?> This should slow the scanning and thus the waste of bandwidth and spread rate of the infections down. At least, if the worm is single threaded. Iljitsch van Beijnum
|