From: "Brian Curtis" <[EMAIL PROTECTED]>
> Repeating offenders of the Nimda virus (my list has been compiled from
> a 5 day data sample). I'm trying to figure out some way to lessen the
> bandwidth load that all these scans are creating.
>
> I already have a shell script ready to go containing ~2400 lines of:
>
> /sbin/ipchains -I input -s 208.3.252.37 -j DENY
> /sbin/ipchains -I input -s 208.165.50.100 -j DENY
> /sbin/ipchains -I input -s 208.242.215.200 -j DENY
> ...
>
> But, like you said, the performance hit would probably be just as bad
> as the scans themselves.
No, you get a double hit. You get the performance hit of the samples and
you still get hit over and over again. A better approach if you do not have
any web page visible to the outside, or "should not", then you could go to
http://www.incidents.org and acquire "labrea", the tarpit tool that slows
down the scans. It would also be interesting to write notes to your ISP, if
these are likely also on your ISP's network, requesting that infected people
be locked off until they are infection free.
Labrea works fairly simply. It acks the connection with a very small maximum
packet size. It then waits as long as it can to ack each of the 5 byte
packets received afterwards. It dumps them on the floor, of course. The idea
is to tie up the scanner in its own TCP/IP negotiations as long as possible.
That lessens the load somewhat.
But simply placing the entries in your firewall is solving only a part of
the problem. You still get hit for each trial. Another interesting solution
would be to visit the dialup accounts list of IP ranges that are known
dialup addresses. Build THEM into your firewall as ranges. You may still
have 2400 entries. But you'd not have to add to them very often. (And since
I just had this idea on the spur of the moment, is there a handy place to
get this list. I feel a burst of editing coming on and a *VERY* big firewall
list here. Some creative ordering on the list might help mitigate some of
the load. But I doubt it....)
{^_^}
_______________________________________________
Seawolf-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/seawolf-list
