Security Incidents: RE: [incidents] Bots hitting my web server?

[Rob Keown <Keown () MACDIRECT COM>]

I would recommend the switch to a new IP address. Use DNS Round Robin
(assuming you can multi-home) for the transition period and once TTL's have
expired eliminate the exploited address.

Rob


-----Original Message-----
From: zcat () bsd co nz [mailto:zcat () bsd co nz]
Sent: Friday, August 30, 2002 2:48 AM
Cc: incidents () securityfocus com
Subject: RE: [incidents] Bots hitting my web server?



> You're not seeing bots, you're seeing surfers in a misguided
> attempt to keep their "anonymity," or to defeat proxies
> that filter by domain/host in corporate/school environments
> (hence the porn site requests you see in your logs).
Here's another suggestion. Reconfigure apache so that every time someone
attempts to use it as a proxy it returns (in the appropriate format;
html, jpg, etc to match the request) a small message announcing that the
request and client IP are being logged to a publically accessable web
page. On that web page explain WHY you're doing this (cost of bandwidth
etc). That should get you off the end-user's proxy lists very quickly,
and will eventually help with the public lists too. And it'll educate a
few of the proxy-list users who are probably under the impression that all
proxies are run intentionally as a public service, like IRC servers and
MUD's.



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com