Worm probes

• Previous message (by thread): Worm probes
• Next message (by thread): Worm probes
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, 18 Sep 2001, Joseph McDonald wrote:

> Yes. We are seeing it here bigtime.  Does anyone have any apache hacks
> to lessen the impact?  One idea:  Once a probe is sent, the prober's
> IP# is stored in a hash (perhaps in shared memory or a mmap'd file
> that all children can share) and new connections from that IP are no
> longer accepted.

Or what about this: redirect your 404 to a PHP script with something like:

ErrorDocument 404 /404.php

and then let a script like this waste the attacker's time:

<?
  echo "404 This page is not available.\n";
  flush();
  sleep(150);
?>

This should slow the scanning and thus the waste of bandwidth and spread
rate of the infections down. At least, if the worm is single threaded.

Iljitsch van Beijnum

• Previous message (by thread): Worm probes
• Next message (by thread): Worm probes
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]