Re: How will i block this kind of request

From: jpd (read_the_sig_at_do.not.spam.it)
Date: 09/09/03

  • Next message: Hans: "Re: How will i block this kind of request" 
    Date: Tue, 9 Sep 2003 12:09:17 +0000 (UTC)

    In article <bjd3bt$ge2$1@atlas.dgp.toronto.edu>, Alan J Rosenthal wrote:
    > sundaram@percipia.com (Sundaram Ramasamy) writes:
    >>I am getting this kind of log message on my web server log. How will i
    >>block this kind of request.
    >>
    >>64.140.34.130 - - [04/Sep/2003:16:51:28 -0400] "GET /default.ida?XXXXXXXXXXXX
    > ...
    >>31b%u53ff%u0078%u0000%u00=a HTTP/1.0" 404 284

    To OP: These are the footprints of a worm that was popular years ago.
    I'd expect any self-respecting webadmin to know about them. Funny how
    they still haven't died out.

    > That "404" is your web server saying "sorry". I'd say it _is_ blocked,
    > in any relevant sense. They say "default.ida", you say "sorry".

    Noooo, we need a firewall to fix it! A firewall, nothing else will do!!!1
    Methinks I'll install one, next to my DDoS preventing apache module...

    > Now, I think you want your web server to tell them "*** off" instead of
    > merely "sorry". But if a new code were standardized with that meaning and
    > your web server returned, say, 416 instead of 404, I promise you you'd find it
    > strangely unsatisfying.

    There already exist such things:

    406 Not Acceptable (`fsck off')
    412 Precondition Failed (`we don't support b0rken stuff like that here')
    417 Expectation Failed (`I thought you'd ask something sensible', or `No,
        that won't work here'. OTOH, that implies 404==417 for those values of 417)
    503 Service Unavailable (where Service ~= r00ting)

    Ofcourse this isn't exactly _correct_ http, but then again, r00ting isn't
    either. Not that it'll change anything, at all, ofcourse. 

    -- 
  j p d (at) d s b (dot) t u d e l f t (dot) n l .
  • Next message: Hans: "Re: How will i block this kind of request"
    • Quantcast