No, not sure that returning a redirect is a good thing. Someone would
need to verify that this does in fact disable the thing.
A better option might be to add a 5-second delay before the redirect.
The time delay would depend on how often you are getting hit, how
many connections you can afford to tie-up on your server, and whether
the attacking code is multi-threaded or single threaded.
If all servers just hung onto the attacker for a while, it would slow
down the attack (I think).
Jim
>
> The problem with doing this is that this thing is already causing DoS
> symptoms on the internet due to the massive amount of traffic it is causing.
> Returning it will only double network traffic. Are you sure you want to add
> to the problem?
>
> Chuck
>
> -----Original Message-----
> From: AOLserver Discussion [mailto:[EMAIL PROTECTED]]On Behalf
> Of Jim Wilcoxson
> Sent: Tuesday, September 18, 2001 1:14 PM
> To: [EMAIL PROTECTED]
> Subject: Re: [AOLSERVER] Code Rainbow attacks
>
>
> Try installing this in your modules/tcl directory:
>
> # procedure to reflect nimda virus calls to (maybe) crash the attacker
> instead
> ns_log notice "loading nimda.tcl"
> ns_register_filter preauth GET /scripts/* nimda
> proc nimda {conn ignore} {
> set req [ns_conn request]
> set reqlist [split $req " "]
> set url [lindex $reqlist 1]
> set host [ns_conn peeraddr]
> ns_returnredirect http://$host$url
> return
> }
> ns_log notice "nimda.tcl loaded"
>
> Also available at http://www.rubylane.com/public/nimda.tcl.txt
>
> It tells the attacker to attack himself. Not sure if it'll follow the
> redirect, but it's worth a shot.
>
> Jim
>
> >
> > And still more information is at
> >
> http://www.infoworld.com/articles/hn/xml/01/09/18/010918hnworm.xml?0918alert
> >
>
