On Wed, 19 Sep 2001, Graeme Robinson wrote: > At 10:15 AM 19/09/2001 +1000, Jeffrey Borg wrote: > > >If you want to kill this new worm on the head (instead of many http > >requests stop it after the 1st it's very simple and a bit insecure) > > > >either use a firewalling tool or plain old route! > > > >firstly chmod +s your tool (this is insecure I know but then the webserver > >user can do the dirty work of blocking hosts in real time!) > > > >then say for iptables get a script called /scripts/root.exe to execute (in > >whatever your language is) > > > >/sbin/iptables -I INPUT -s (SOURCE IP) -j DROP > >OR > >/sbin/route add -host (SOURCE IP) dev lo > > > >and no more requests from that machine at all. > > Interesting idea! > > Dropping packets from a source address will mean nothing gets logged from > that source IP and Apache won't see the request, but it won't necessarily > stop the traffic, just filter it at your server/gateway. This is helpful > if you were getting a denial of service attack that was crippling your > ability to serve html to legitimate requests but isn't going to solve the > problem if the attack is chewing into your bandwidth and affecting > latency/data charges. you get 1 request and quite a few incoming packets to try and establish a tcp connection. but it's not that much traffic compared to allowing the requests to happen. Anyway it's working fine for me (btw I only have one machine here anyway, but I don't want to block off the web server.) well in this solution no outgoing bandwidth is used because you don't send anything back and there is really minimal incoming traffic. I had 12 mb incoming today and 11mb yesterday because of this. I expect it to drop back to about a meg or two after this. > Might be a cool idea to add to the script a log of the IP's being dropped > that you could then email your ISP to filter out further upstream at their > routers. Bit late at that stage you need to stop the requests in real time. by the time that happends they have finished scanning. Different if you could change the rules in real time on the other end. > I see an eventual solution to distributed denial of service attacks like > code red lying in the automated notification and blocking of source IP's at > the source rather than destination ISP. > -- SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
