Christian Folini wrote:
André,
On Wed, May 01, 2013 at 02:47:55AM +0200, André Warnier wrote:
With respect, I think that you misunderstood the purpose of the proposal.
It is not a protection mechanism for any server in particular.
And installing the delay on one server is not going to achieve much.
In fact I did understand the purpose, but I wanted to get
my point across without writing a lengthy message on the
merits and flaws of your theory.
My point is: ModSecurity has all you need to do this
right now. All that is missing is enough people configuring
their servers as you propose.
Like many others, I do not think this will work. If it really
bothers you (and your bandwidth), then I would try and use a
real-time blacklist lookup (-> ModSecurity's @rbl operator).
Given the work of the spam defenders these blacklist should
contain the ipaddresses of the scanning bots as well.
I do not have this configured, but I would be really
interested to see the effect on average load, connection
use and number of scanning attempts on a server.
Interesting discussion by the way. Maybe a bit hot, though.
Hi.
Thank you for this "cool" contribution.
I'd like to say that I do agree with you, in that there are already many tools to help
defend one's servers against such scans, and against more targeted attacks.
I have absolutely nothing /against/ these tools, and indeed installing and configuring
such tools on a majority of webservers would do much more for Internet security in
general, than my proposal ever would.
But at the same time, there is the rub, as you say yourself : "All that is missing is
enough people configuring their servers as you propose."
These tools must be downloaded separately, installed, configured and maintained, all by
someone who knows what he's doing.
And this means that, in the end (and as the evidence shows), only a tiny minority of
webservers on the Internet will effectively set up one of those, and the vast majority of
webservers will not.
And among the millions of webservers that don't, there will be enough candidates for
break-in to justify these URL scans, because URL-scanning at this moment is cheap and
really fast.
In contrast, my proposal is so simple from an Apache user point of view, that I believe
that it could spread widely, without any other measure than configuring it by default in
the default Apache distribution (and be easily turned off by whoever decides he doesn't
want it).
If my purpose was merely to shield my own servers, then I would not spend so much time
trying to defend the merits of this proposal. Instead, I would install one of these tools
and be done with it. I am not doing it, because on the one hand my servers - as far as I
know of course - do not exhibit any of these flaws which they are scanning for, and on the
other hand because these traces in the logs provide me with information about how they work.
I apologise if I repeat myself, and if I am perceived as "hot" sometimes.
It may be because of a modicum of despair. I don't know what I was expecting as a
reaction to this proposal, but I am disappointed - maybe wrongly so.
I was ready for criticism of the proposal, or for someone proving me wrong, on the base of
real facts or calculations. But what I am mostly seeing so far, are objections apparently
based on a-priori opinions which my own factual observations show to be false.
Not only my own though : the couple of people here who have contributed based on a real
experience with real servers, do not seem to contradict my own findings. So I am not
totally despairing yet.
But I am a bit at a loss as to what to do next. I could easily enough install such a
change on my own servers (they are all running mod_perl). But then, if it shows that the
bots do slow down on my servers or avoid them, it still doesn't quite provide enough
evidence to prove that this would benefit the Internet at large, does it ?
Does anyone have knowledge of some organisation which could try this out on a sufficient
number of servers to definitely either prove or disprove the idea ?
