[NTLUG:Discuss] robots.txt / also Nimda & CodeRed fighting...
kbrannen@gte.net
kbrannen at gte.net
Wed Mar 26 17:50:22 CST 2003
Darin W. Smith wrote:
...
> I've considered using a 'doze box to do a NET SEND xxx.xxx.xxx.xxx
> "Please scan your computer. You have a virus/worm." to all those IP's.
> Think I'd get in trouble? It would reveal my IP to them. This is
What does your ISP agreement say? :-)
> assuming that they have the messaging service open...which most probably
> will since they haven't bothered to apply any patches or scan for viruses
>
> Think it would do any good?
Yeh, they probably will have it open, but I doubt it would do much good;
though it might be fun to try.
>
> Since I have my webserver (Linux box - Mandrake 8.1 but soon migrating
...
> In the past, I have sent lists of the attbi.com IP's that are this way
> to abuse at attbi.com or abuse at comcast.com, but I don't think they really
> care. I care, partially because that stuff winds up eating lots of
> bandwidth.
They may not have time to care, which is as bad as not caring in that the end
result is the same.
If bandwidth was not an issue for you, I'd consider putting a HUGE file on my
system (like 4GB of zeros or maybe something like /dev/zero) and symlink all
the filenames Nimba and others want to that file, just so the offending
machine will fill it's hard disk up, which should get someone's attention
eventually. ;-)
OTOH, since you care about bandwidth, check out the LeBrea Tarpit
program/suite. It goes thru all but the last step of the SYN/ACK connection
steps, thus holding a connection open but doing nothing. So the attacker is
slowed down, and nothing gets transmitted...though you'll probably need to
increase the max number of children it can spawn. See
http://www.threenorth.com/LaBrea/. Originally written for CodeRed, I see no
reason it wouldn't work for others.
From the webpage:
LaBrea is a program that creates a tarpit or, as some have called it, a
"sticky honeypot". LaBrea takes over unused IP addresses on a network and
creates "virtual machines" that answer to connection attempts. LaBrea answers
those connection attempts in a way that causes the machine at the other end to
get "stuck", sometimes for a very long time.
HTH,
Kevin
More information about the Discuss
mailing list