At 10:15 AM 19/09/2001 +1000, Jeffrey Borg wrote: >If you want to kill this new worm on the head (instead of many http >requests stop it after the 1st it's very simple and a bit insecure) > >either use a firewalling tool or plain old route! > >firstly chmod +s your tool (this is insecure I know but then the webserver >user can do the dirty work of blocking hosts in real time!) > >then say for iptables get a script called /scripts/root.exe to execute (in >whatever your language is) > >/sbin/iptables -I INPUT -s (SOURCE IP) -j DROP >OR >/sbin/route add -host (SOURCE IP) dev lo > >and no more requests from that machine at all. Interesting idea! Dropping packets from a source address will mean nothing gets logged from that source IP and Apache won't see the request, but it won't necessarily stop the traffic, just filter it at your server/gateway. This is helpful if you were getting a denial of service attack that was crippling your ability to serve html to legitimate requests but isn't going to solve the problem if the attack is chewing into your bandwidth and affecting latency/data charges. Might be a cool idea to add to the script a log of the IP's being dropped that you could then email your ISP to filter out further upstream at their routers. I see an eventual solution to distributed denial of service attacks like code red lying in the automated notification and blocking of source IP's at the source rather than destination ISP. -- SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
