-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
__/ [Jim Richardson] on Thursday 13 October 2005 08:59 \__
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On Thu, 13 Oct 2005 05:14:18 +0100,
> Roy Schestowitz <newsgroups@xxxxxxxxxxxxxxx> wrote:
>> I have yet another reason to hate Windows with /passion/. My Linux server
>> has come under heavy attacks by Windows machine that had been hijacked
>> and it's putting my Web host in jeopardy. Motive? Referrer spam that
>> comes with the visits en masse.
>>
>> I am unable to work. All I do is merely investigate my Apache options for
>> filtering and looking at logs. It's 5 AM over here and I am struggling
>> for survival as Windows zombies continue to hammer me. To anyone who says
>> that Windows is not harmful to the world, use /that/ to argue for the
>> contrary.
>>
>> Had there been no stickin', rusty Windows, I'd be able to do some real
>> work. I can think of many other moves and strategies at Microsoft that
>> encouraged spam in the past decade or two. Hate spam? Blame Microsoft.
>>
>> Roy
>
> One way to deal with MS-Windows zombie attacks on a webserver, is to
> look at the user agent string. Most of the crappy zombie boxes put
> garbage in the user agent string, and can be filtered out on that. Also,
> you can tarpit them, if you'd rather. Which will quickly bog them down,
> without affecting you much.
>
>
> <http://www.netfilter.org/patch-o-matic/pom-extra.html> for adding a
> tarpit target to iptables, then add a rule for the ip addr of the zombie
> box, with a tarpit target, and bye bye zombie, they get to hang on
> connections for eternity, or until they give up. But in any case, don't
> bog down your server anywherre near as much.
>
> The downside to this approach, is that the iptables module needs to be
> recompiled, and if you compiled it into the kernel, then you'll need a
> kernel recompile. It's not part of the std iptables setup yet IIRC.
>
> You have two problems to solve, identifying the zombie boxes IP
> addresses, and doing something about it. Tarpit covers the second part,
> or you could just deny or reject all connections, but that doesn't do
> much for your bandwidth, and can take up a fair amount of resources.
>
> For the first part, like I said, the user agent string is one thing to
> look at, also maybe look at connection patterns, but that's getting more
> detailed than the present info will allow.
>
> Good luck, zombie MS-Windows boxes are a real pita.
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.1 (GNU/Linux)
>
> iD8DBQFDThPfd90bcYOAWPYRAshJAJ0QkEvM+QvelzLh7F03bNsp8QarzgCeLmeV
> IyePLMRKWZi3c1r3Bf37rWU=
> =vsDm
> -----END PGP SIGNATURE-----
The user-agent string is not a verbage. It is consistently Windows, which
unfortunately is a ubiqitous O/S.
As for filters of various types, I have already been told about 3 seprate
options:
* http://www.ioerror.us/software/bad-behavior/
* http://dougal.gunters.org/blog/category/spamvalve/
* http://www.modsecurity.org/
All of them require root access so I contacted my Web host last night.
As for the IP addresses, they are a diverse scatter. They are merely
meaningless as a discriminant.
For the time being, I keep an eye on the AWstats log outputs (every half an
hour) and deny all URL's that the zombies target. This reduces the traffic
and keeps the site alive. The heaviest pages are intentionally targetted by
zombies, so quick reaction is a necessity.
Roy
- --
Roy S. Schestowitz | Roughly 2% of your keyboard is O/S-specific
http://Schestowitz.com | SuSE Linux | PGP-Key: 74572E8E
11:20am up 48 days 23:34, 4 users, load average: 0.70, 0.57, 0.49
http://iuron.com - next generation of search paradigms
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2-rc1-SuSE (GNU/Linux)
iD8DBQFDTja2U4xAY3RXLo4RAuR/AJsHQkRqPG/bjb1beVL/6nDFFNb/SQCdHmUD
CYtoy/IqTdn/7JYR9Fsb6+A=
=U7iX
-----END PGP SIGNATURE-----
|
|
