On 16 Apr 2013, at 19:38, "André Warnier" <a...@ice-sa.com> wrote:
> Pïd stèr wrote: >> On 16 Apr 2013, at 17:58, chris derham <ch...@derham.me.uk> wrote: >> >>>> Or, another way of looking at this would be that for every 40 servers >>>> scanned without a 404 delay, the same bot infrastructure within the same >>>> time would only be able to scan 1 server if a 1 s 404 delay was implemented >>>> by 50% of the webservers. >>> This assumes that the scanning software makes sequential requests. >>> Assuming your suggestion was rolled out (which I think is a good idea >>> in principal), wouldn't the scanners be updated to make concurrent >>> async requests? At which point, you only end up adding 1 second to the >>> total original time? Which kind of defeats it. >>> >>> Again I'd like to state that I think you are onto a good idea, but the >>> other important point is that some (most?) of these scans are run from >>> botnets. These have zero cost (well for the bot farmers anyway). My >>> point is even if the proposal worked, they don't care if their herd is >>> held up a little longer - they are abusing other people >>> computers/connections so it doesn't cost them anything directly. >>> >>> Sorry but those are my thoughts >> >> I tend to agree. Effort will just be expended elsewhere, and that's >> assuming this would have enough of an impact to be noticed. > > Say that it would be easy to implement this in Tomcat, and that we do not > collectively > find good reasons not to do so, and that it does get implemented. > > Then I pledge that my next move would be to bring this similarly onto the > Apache httpd > list (using the Tomcat precedent as an introduction of course (à la "hey guys > ? those > smart Tomcat developers have just had a great idea etc..")). > > I haven't checked the actual numbers yet, but I would imagine that between > Apache httpd > and Tomcat, we're talking of a significant proportion of the overall > webservers, no ? Only if you can get them updated in a timely fashion. And only if the default setting is 'on'. p > Alternatively of course, still if there are no definite arguments against it, > but the > Tomcat developers are not interested, I could go to the Apache list anyway. > And then they > might be the first to introduce this great feature. > > Or maybe I'll just patent it, and then sell the patent to the makers of the > third > most-popular webserver.. > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org