experience with tarpitting nimda & co
I just wanted to let you know about some experiences with my
nimda-tarpit script that I wrote. I've been using it for a little more
than a week now.
The script is written in php, and I'm using rewrite rules to direct
nimda attacks to this script. It first displays two messages, waits some
seconds in between, then it starts sending a "*" every 30 seconds in
order to hold up the connection. The script stops running only when the
"client" breaks up the connection. In order to prevent a DOS attack on
my normal webservice I use a counter for every instance of the script
that is running. If this counter exceeds a given threshold, the script
just displays something like "piss off" and quits.
After using this script for a while I can say the following: most of the
attacks come from worms, not from script kiddies that run worm-like
tools manually. Every attack (and there have been some) was aware of
tarpitting connections, they disconnected within 15 seconds, so
tarpitting them does not work at all. A negative side effect of the
tarpit script is that the number of connections rised visibly during
each attack. I guess this is because of the "200" they receive instead
of the "404".
I will shut down the tarpit script this weekend and remove the rewrite
rules. It seems as if this experiment failed.
Another idea that came to my mind was a iptables module that is able to
redirect http worm attacks to the "drop" chain. They would not get
through to the webserver, therefor would not get a webserver status
response, and the amount of traffic that is caused by them would be
minimal. Is there anything that speaks against that idea (apart from the
fact that I have no experiences in writing such a module)?