18 Sep
2001
18 Sep
'01
1:36 p.m.
On Tue, 18 Sep 2001, Joseph McDonald wrote:
Yes. We are seeing it here bigtime. Does anyone have any apache hacks to lessen the impact? One idea: Once a probe is sent, the prober's IP# is stored in a hash (perhaps in shared memory or a mmap'd file that all children can share) and new connections from that IP are no longer accepted.
Or what about this: redirect your 404 to a PHP script with something like: ErrorDocument 404 /404.php and then let a script like this waste the attacker's time: <? echo "404 This page is not available.\n"; flush(); sleep(150); ?> This should slow the scanning and thus the waste of bandwidth and spread rate of the infections down. At least, if the worm is single threaded. Iljitsch van Beijnum