I'm gonna suggest this one more time: LaBrea, from http://www.threenorth.com/LaBrea should make these attacks slow down like they're wading through molasses. Now, if most or all ISPs installed tarpits like this it would seriously reduce the virulence of the attacks. Just my $0.02 worth. David Leonard ShaysNet On Tue, 18 Sep 2001, Iljitsch van Beijnum wrote:
On Tue, 18 Sep 2001, Joseph McDonald wrote:
Yes. We are seeing it here bigtime. Does anyone have any apache hacks to lessen the impact? One idea: Once a probe is sent, the prober's IP# is stored in a hash (perhaps in shared memory or a mmap'd file that all children can share) and new connections from that IP are no longer accepted.
Or what about this: redirect your 404 to a PHP script with something like:
ErrorDocument 404 /404.php
and then let a script like this waste the attacker's time:
<? echo "404 This page is not available.\n"; flush(); sleep(150); ?>
This should slow the scanning and thus the waste of bandwidth and spread rate of the infections down. At least, if the worm is single threaded.
Iljitsch van Beijnum