Re: SEARCH attack
OK, you've gone beyond me. What do you mean by blocking the NOP operation
or jmp/mov instruction? How would you do this with an Apache server on a
Also, wouldn't replacing the www.microsoft.com with localhost (or
http://127.0.0.1/) just send the request right back to my own server,
probably even putting it in a loop?
----- Original Message -----
Sent: Monday, June 07, 2004 11:01 PM
Subject: Re: SEARCH attack
> I see these all the time myself and to turn the server into a black
> hole when it comes to exploitable code is a interesting idea.
> Blocking the NOP operation by blocking x90 does that pretty nicely on
> its own, however you could also block a jmp/mov instruction if you
> really wanted to be 'safe', but some users like using hex values for
> things, so its a trade off since people tend to move to other service
> providers when they find out there current one doesn't allow the
> input needed by there favorite script.
> Perhaps switching 'http://www.microsoft.com' from that howto with
> 'localhost' would be even more interesting; But from a legal
> standpoint the water is murky on that scale.
> - D
> On 7 Jun 2004 at 16:41, Dena Whitebirch wrote:
> > I was getting pounded by these too and am wondering though if it worried
> > anyone else that we might be considered to be attacking Microsoft by
> > doing this rewrite? Might there be a similar way to just 'stop' them
> > sending them to /dev/null or something?
> > >
> > Regards,
> > Dena A. Whitebirch
> > --
> > To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org
> > with a subject of "unsubscribe". Trouble? Contact
> To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact