RE: [incidents] Bots hitting my web server?

From: Rob Keown (Keownat_private)
Date: Fri Aug 30 2002 - 14:36:33 PDT

  • Next message: Andrey G. Sergeev (AKA Andris): "Any tcp/608 activity?"

    I would recommend the switch to a new IP address. Use DNS Round Robin
    (assuming you can multi-home) for the transition period and once TTL's have
    expired eliminate the exploited address.
    
    Rob
    
    
    -----Original Message-----
    From: zcatat_private [mailto:zcatat_private]
    Sent: Friday, August 30, 2002 2:48 AM
    Cc: incidentsat_private
    Subject: RE: [incidents] Bots hitting my web server?
    
    
    
    > You're not seeing bots, you're seeing surfers in a misguided
    > attempt to keep their "anonymity," or to defeat proxies
    > that filter by domain/host in corporate/school environments
    > (hence the porn site requests you see in your logs).
    
    Here's another suggestion. Reconfigure apache so that every time someone
    attempts to use it as a proxy it returns (in the appropriate format;
    html, jpg, etc to match the request) a small message announcing that the
    request and client IP are being logged to a publically accessable web
    page. On that web page explain WHY you're doing this (cost of bandwidth
    etc). That should get you off the end-user's proxy lists very quickly,
    and will eventually help with the public lists too. And it'll educate a
    few of the proxy-list users who are probably under the impression that all
    proxies are run intentionally as a public service, like IRC servers and
    MUD's.
    
    
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Mon Sep 02 2002 - 10:08:23 PDT