[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

experience with tarpitting nimda & co

Hi all.

I just wanted to let you know about some experiences with my nimda-tarpit script that I wrote. I've been using it for a little more than a week now.

The script is written in php, and I'm using rewrite rules to direct nimda attacks to this script. It first displays two messages, waits some seconds in between, then it starts sending a "*" every 30 seconds in order to hold up the connection. The script stops running only when the "client" breaks up the connection. In order to prevent a DOS attack on my normal webservice I use a counter for every instance of the script that is running. If this counter exceeds a given threshold, the script just displays something like "piss off" and quits.

After using this script for a while I can say the following: most of the attacks come from worms, not from script kiddies that run worm-like tools manually. Every attack (and there have been some) was aware of tarpitting connections, they disconnected within 15 seconds, so tarpitting them does not work at all. A negative side effect of the tarpit script is that the number of connections rised visibly during each attack. I guess this is because of the "200" they receive instead of the "404".

I will shut down the tarpit script this weekend and remove the rewrite rules. It seems as if this experiment failed.

Another idea that came to my mind was a iptables module that is able to redirect http worm attacks to the "drop" chain. They would not get through to the webserver, therefor would not get a webserver status response, and the amount of traffic that is caused by them would be minimal. Is there anything that speaks against that idea (apart from the fact that I have no experiences in writing such a module)?

Bye, Mike

Reply to: