AW: Security - Attack

[Ralph Einfeldt]

I have doubts that the viruses will follow the redirect.

I prefer to to answer with a 400/403/406 (still will be logged)
or 204 (No log entry).

I also have doubts that this is legal, so be carefull what you do.

> -Ursprüngliche Nachricht-
> Von: Cato, Christopher [mailto:[EMAIL PROTECTED]]
> Gesendet: Donnerstag, 13. Juni 2002 13:38
> An: 'Tomcat Users List'
> Betreff: RE: Security - Attack
> 
> 
> You should do what I did. For Code Red and similar exploits, 
> create a bunch of mod_rewrite filters (in httpd.conf - for Apache) 
> that redirects all those requests to www.microsoft.com instead. 
> After all, they ARE responsible, aren't they? :)
> 

--
To unsubscribe, e-mail:   
For additional commands, e-mail: 

AW: Security - Attack

[Ralph Einfeldt]

On which level did you implement this ?

- apache/iis configuration
- tomcat configuration
- tomcat filter/valve

Or where else ?

> -Ursprüngliche Nachricht-
> Von: Jean Christophe Rousseau 
> [mailto:[EMAIL PROTECTED]]
> Gesendet: Donnerstag, 13. Juni 2002 14:21
> An: Tomcat Users List
> Betreff: RE: Security - Attack
>
> For my part I chose not to answer at all this kind of 
> requests and shut down the socket connexion.
> 

--
To unsubscribe, e-mail:   
For additional commands, e-mail: 

AW: Security - Attack

[Ralph Einfeldt]

Blocking the IP can be a dangerous thing:

- If there are several people behind a proxy, you will
  disable all.
- If the attacking pc has a provider wih dynamic IP's
  it dousn't help at all, it will just diable all
  user users that get this IP in the future.
- It makes you vulnerable to dos attack. As it is possible
  to fake IP adresses an attacker can disable the acces to 
  your site for a ig amount of people

> -Ursprüngliche Nachricht-
> Von: peter lin [mailto:[EMAIL PROTECTED]]
> Gesendet: Donnerstag, 13. Juni 2002 14:32
> An: Tomcat Users List
> Betreff: Re: Security - Attack
> 
> apache and tomcat aren't vulnerable, but putting up a 
> firewall to block the IP might be a good idea. For my 
> own server I zone alarm pro, which will block IP trying 
> this exact type of exploit.

--
To unsubscribe, e-mail:   
For additional commands, e-mail: 

AW: Security - Attack

[Ralph Einfeldt]

I wouldn't say that they do no harm:

- They mess up your statistics
  If you don't change your configuration it's not
  possible to distinguish the 404 from the viruses
  from others that might indicated errors in your 
  site. (I always get nervous if a server has a
  'file not found' count > 0)
- They (sometimes) kill your log file space
  In high noon of nimda and code red, those viruses
  produced serveral megabytes on logfiles for each 
  site we are hosting.
  So it makes some sense to change the configuration 
  for apache.

> -Ursprüngliche Nachricht-
> Von: Tim Funk [mailto:[EMAIL PROTECTED]]
> Gesendet: Donnerstag, 13. Juni 2002 15:04
> An: Tomcat Users List
> Betreff: Re: Security - Attack
> 
> 
> Warning: this may start flame war - but its my opinion.
> 
> What is the purpose of detecting and trying to prevent these 
> attacks? If 
> someone code reds (or similar) you - they get a 404 error. 
> Why waste the 
> extra processing power and  extra config maintenance on 
> something that 
> does "no harm". When the next type of attack comes out - should the 
> config be changed to address that? Its a waste of time.
> 
> -Tim
> 
> Jim Urban wrote:
> >>create a bunch of mod_rewrite filters (in httpd.conf - for 
> Apache) that
> > 
> > redirects
> > 
> >>all those requests to www.microsoft.com
> > 
> > Can you provide an example?
> > 
> > Jim
> > 
> 
> 
> --
> To unsubscribe, e-mail:   
> 
> For additional commands, e-mail: 
> 
> 
> 
> 

--
To unsubscribe, e-mail:   
For additional commands, e-mail: 

Re: AW: Security - Attack

[peter lin]

it's my home system, so I don't care if some one I don't know gets
blocked. For production system it would be better to just filter as some
one else said earlier. I run both tomcat and orion, so neither are
vulnerable, but I rather not clean up logs every week because of stupid
IIS exploits.

Another thing which admins should do is filter out going traffic from
their network for this type of virus/trojan. Atleast I would, but not
every has the time or inclination to do so. In any case, you could write
a request filter in tomcat that will filter out all requests with
".exe".

peter



Ralph Einfeldt wrote:
> 
> Blocking the IP can be a dangerous thing:
> 
> - If there are several people behind a proxy, you will
>   disable all.
> - If the attacking pc has a provider wih dynamic IP's
>   it dousn't help at all, it will just diable all
>   user users that get this IP in the future.
> - It makes you vulnerable to dos attack. As it is possible
>   to fake IP adresses an attacker can disable the acces to
>   your site for a ig amount of people
> 
> > -Ursprüngliche Nachricht-
> > Von: peter lin [mailto:[EMAIL PROTECTED]]
> > Gesendet: Donnerstag, 13. Juni 2002 14:32
> > An: Tomcat Users List
> > Betreff: Re: Security - Attack
> >
> > apache and tomcat aren't vulnerable, but putting up a
> > firewall to block the IP might be a good idea. For my
> > own server I zone alarm pro, which will block IP trying
> > this exact type of exploit.
> 
> --
> To unsubscribe, e-mail:   
> For additional commands, e-mail: 

--
To unsubscribe, e-mail:   
For additional commands, e-mail: