Distributing the 404/403 error takes connections and bandwidth. Adding the following configuration to Apache will reduce the impact on the servers. I have been doing this for some time on the production servers that I manage. AliasMatch ^/scripts(.*) "/www/bogus/index.html" AliasMatch ^/.*(ida|htr|idc|htw) "/www/bogus/index.html" Replace the second argument with the path to a zero-length index file (e.g. touch /www/bogus/index.html). Just give you an idea of the savings: With the "mitigation" configuration: 172.16.89.153 - - [19/Sep/2001:17:36:17 +0600] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.1" 200 0 So, it transfers 0 bytes Now without the "mitigation" config: 172.16.89.153 - - [19/Sep/2001:17:38:06 +0600] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.1" 404 321 It transfers 321 bytes. The above was tested with the standard Apache "404" error. Now, on 15 production apache servers there are 6100 entries on the average per server, 91500 entries. With a 908 byte custom error document on our production servers, that's 83MB. of data. This starting sample date is Sunday. Note that this with 1 ip address per server. The usage should increase linearly as you add virtual IPs. Now, I am not taking into account the additional packet overhead which in accounting terms is a fixed cost and would likewise apply to the "mitigation" configuration. John Coke PGP fingerprint: A8D1 4CBD 88CF 1B37 8008 2F79 3081 2108 8F45 E846 PGP key ID 0x8F45E846 (pgp.mit.edu) > -----Original Message----- > From: George Milliken [mailto:gmillikenat_private] > Sent: Wednesday, September 19, 2001 8:59 AM > To: Incidentsat_private > Subject: RE: Anyone????? FW: Concept Virus(CV) V.5 - Quick analysis > update > > > Maybe something like a rewrite rule > > RewriteEngine On > RewriteRule ^.*/cmd.exe.* [FL] > RewriteRule ^.*/root.exe.* [FL] > > This will send "forbidden" to systems trying those URLs and will stop > rewrite processing. > > ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Sep 19 2001 - 17:18:19 PDT