It wouldn't double network traffic, as the virus would be attacking the local
host. With any luck the attacking hosts will DoS themselves, saving the rest of
us the trouble.
Almost makes me want to preemptively strike any IIS host *I* run across. Sigh.
Chuck Kimber wrote:
> The problem with doing this is that this thing is already causing DoS
> symptoms on the internet due to the massive amount of traffic it is causing.
> Returning it will only double network traffic. Are you sure you want to add
> to the problem?
>
> Chuck
>
> -----Original Message-----
> From: AOLserver Discussion [mailto:[EMAIL PROTECTED]]On Behalf
> Of Jim Wilcoxson
> Sent: Tuesday, September 18, 2001 1:14 PM
> To: [EMAIL PROTECTED]
> Subject: Re: [AOLSERVER] Code Rainbow attacks
>
> Try installing this in your modules/tcl directory:
>
> # procedure to reflect nimda virus calls to (maybe) crash the attacker
> instead
> ns_log notice "loading nimda.tcl"
> ns_register_filter preauth GET /scripts/* nimda
> proc nimda {conn ignore} {
> set req [ns_conn request]
> set reqlist [split $req " "]
> set url [lindex $reqlist 1]
> set host [ns_conn peeraddr]
> ns_returnredirect http://$host$url
> return
> }
> ns_log notice "nimda.tcl loaded"
>
> Also available at http://www.rubylane.com/public/nimda.tcl.txt
>
> It tells the attacker to attack himself. Not sure if it'll follow the
> redirect, but it's worth a shot.
>
> Jim
>
> >
> > And still more information is at
> >
> http://www.infoworld.com/articles/hn/xml/01/09/18/010918hnworm.xml?0918alert
> >
