Re: [Sheflug] w0rm/Hax0r Attack

[Alex Hudson <home [at] xxxxxxxxxxxxxx>]

On Fri, 2004-04-02 at 18:31, Chris J wrote:
> And Lo! The Great Prophet =?iso-8859-1?Q?Jos=E9_Luis_G=F3mez?= Dans 
                            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

That would be "José Luis Gómez Dans" in l33t-speak? ;o)

> There was talk of using iptables to block these sort of worms when Nimda 
> and CodeRed were on the loose, as apparently you can block packets based on 
> the contents of the data payload of an IP packet, which could be useful :-)

Hmm, it would be interesting to know how much processing power that
would require. Parsing HTTP isn't necessarily easy, I wouldn't think -
lots of room for denial of service with a bad implementation.

As for Apache defences, I thought most of these worms connected to IP
addresses rather than domain names? (I.e., speaking HTTP 1.0,
simplistically) If that's the case, you could simply move all your
domains to virtual (HTTP 1.1) hosts and send the logging for the basic
non-virtual site to /dev/null. Wouldn't work for SSL, but then, there's
less attacks on that port.

Cheers,

Alex.

___________________________________________________________________

Sheffield Linux User's Group -
http://www.sheflug.co.uk/mailfaq.html

  GNU the choice of a complete generation.