Re: New worm protection

From: Chris BeHanna (
Date: 09/24/01

Date: Sun, 23 Sep 2001 20:57:18 -0400 (EDT)
From: Chris BeHanna <>
To: David G Andersen <>

On Sun, 23 Sep 2001, David G Andersen wrote:

> Lo and behold, Chris Byrnes once said:
> >
> > Has anyone written an easy-to-use ipfw rule or some kind of script that will
> > help with this new worm?
> Someone already pointed out disabling logging on your webserver.
> He also suggested a Tarpit-like approach. I like the following
> simple script, which is what I run on my webservers.
> mkdir DOCROOT/scripts
> # Cover the two alternate bits as well
> ln -s DOCROOT/scripts DOCROOT/_mem_bin
> ln -s DOCROOT/scripts DOCROOT/_vti_bin
> cat > DOCROOT/scripts/.htaccess
> ErrorDocument 404 /scripts/nph-foo.cgi
> <EOF>
> cat > DOCROOT/scripts/nph-foo.cgi
> #!/usr/bin/perl
> sleep(5);
> exit(0);
> <EOF>
> NIMDA doesn't hang out for very long waiting for a response
> to the script headers, so a labrea-tarpit like approach won't
> actually be particularly effective.

    I had a thought that since the initial request was for a directory
listing of a Windows C: drive, that I'd give one to him.

    One byte per second.

    I don't know if NIMDA will time out after I send the initial
headers, but if not, then I could potentially tarpit one for a couple
of hours. :-)

    The trouble with triggering ipfw/ipchain rules is that as the
ruleset gets large, network performance gets slow (rulesets are
searched linearly). A nice compromisse would be to gather statistics
on the attackers and just firewall out the top 10 or 20 or so.

    The trouble with attempting to send a remote shutdown is that it's
illegal (breaking into someone else's machine to run a program and all).

    Of course, if you have some unused IP addresses, there is always
La Brea. :-)

Chris BeHanna
Software Engineer                   (Remove "bogus" before responding.)
I was raised by a pack of wild corn dogs.
To Unsubscribe: send mail to
with "unsubscribe freebsd-security" in the body of the message