Most of the traffic to my website is bots looking for exploits; sometimes the load average climbs over 100. The bots are mostly repetitive and easy to characterize. Attempts to connect to mysqladmin, for example. They arrive with a source ip address.
I have a dyndns account. AFAIK, there is no limit to the number of dynamic IPs and sub-domains I can use. So imagine the following response to detecting bot traffic: 1) log the source ip address, prepend it to the top of a table. 2) use a modified form of ddclient to tell dyndns to use that IP address for one of many fake subdomains. 3) send the bot a redirect to one of the many fake subdomains, which connects them to the ip address of another bot. Hopefully, I can get the bots to waste time talking to machines hosting other bots. Since the target machines are already compromised, the increased traffic might get the clueless owner's attention. Or make the bot army "p0wners" angry at each other. The downside is the bots may share and mix code, and evolve in a Darwinian fashion into a malevolent global superAI, which will enslave all the rest of you, and call me "daddy". Keith -- Keith Lofstrom [email protected] _______________________________________________ PLUG mailing list [email protected] http://lists.pdxlinux.org/mailman/listinfo/plug
