Re: New worm protection

From: Chris BeHanna (behanna@zbzoom.net)
Date: 09/24/01


Date: Sun, 23 Sep 2001 20:57:18 -0400 (EDT)
From: Chris BeHanna <behanna@zbzoom.net>
To: David G Andersen <danderse@cs.utah.edu>

On Sun, 23 Sep 2001, David G Andersen wrote:

> Lo and behold, Chris Byrnes once said:
> >
> > Has anyone written an easy-to-use ipfw rule or some kind of script that will
> > help with this new worm?
>
> Someone already pointed out disabling logging on your webserver.
>
> He also suggested a Tarpit-like approach. I like the following
> simple script, which is what I run on my webservers.
>
> mkdir DOCROOT/scripts
> # Cover the two alternate bits as well
> ln -s DOCROOT/scripts DOCROOT/_mem_bin
> ln -s DOCROOT/scripts DOCROOT/_vti_bin
>
> cat > DOCROOT/scripts/.htaccess
> ErrorDocument 404 /scripts/nph-foo.cgi
> <EOF>
>
> cat > DOCROOT/scripts/nph-foo.cgi
> #!/usr/bin/perl
> sleep(5);
> exit(0);
> <EOF>
>
> NIMDA doesn't hang out for very long waiting for a response
> to the script headers, so a labrea-tarpit like approach won't
> actually be particularly effective.

    I had a thought that since the initial request was for a directory
listing of a Windows C: drive, that I'd give one to him.

    One byte per second.

    I don't know if NIMDA will time out after I send the initial
headers, but if not, then I could potentially tarpit one for a couple
of hours. :-)

    The trouble with triggering ipfw/ipchain rules is that as the
ruleset gets large, network performance gets slow (rulesets are
searched linearly). A nice compromisse would be to gather statistics
on the attackers and just firewall out the top 10 or 20 or so.

    The trouble with attempting to send a remote shutdown is that it's
illegal (breaking into someone else's machine to run a program and all).

    Of course, if you have some unused IP addresses, there is always
La Brea. :-)

-- 
Chris BeHanna
Software Engineer                   (Remove "bogus" before responding.)
behanna@bogus.zbzoom.net
I was raised by a pack of wild corn dogs.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message