On Wed, 2003-11-19 at 15:01, Jonathan wrote: > Tom Knight-Markiegi wrote: > > > Hi > > > > I remember sme post talking about this before (but can't find them right > > now) but I was wondering if there is a way to deal with script kiddies. > > Anyone running a webserver is sure to have seen the attempted attacks in > > their logs. I was wondering if this would work. If you get the names of the > > files that are being looked for and symlink them to something like > > /dev/urandom so when the script kiddies try to get the files they just get > > an infinate stream of garbage. I'm thinking that if enough people did this > P.S. Bear in mind with an approach like yours that you're probably > fighting an already compromised machine, using up resources that are > probably not going to affect script kiddies directly and streaming > random data at automated probes will probably consume more resources > than just letting them probe and move on. > I echo that it's not a good idea, since codred shows that compromised IIS servers will scan other IIS servers, and this just uses more bandwidth than it saves. Although maybe there is a little merit in the stream of random garbage. If this "vigilante" type of response could have the TCP window size set to 1, only one outstanding packet can exist, and if your server is REALLY slow at sending back ACK's to TCP packets (but not so that it times out) that would mess up anyone running these attacks in a single thread. Tarpit is a good place to look at this kind of idea. I think it would be a hell of a lot of work in the kernel (and breaking the idea of an OSI model, since the layer handing out TCP packets needs to understand bad/good data from the application layer). -- Regards, Adam Allen. adam [at] dynamicinteraction.co.uk pgp http://search.keyserver.net:11371/pks/lookup?op=vindex&search=adam%40dynamicinteraction.co.uk
Attachment:
signature.asc
Description: This is a digitally signed message part