Forum OpenACS Q&A: Crack attempts and wasted bandwidth

Collapse
1: Crack attempts and wasted bandwidth
Posted by Randy Ferrer on 04/12/04 07:44 AM

Hi - In the last week I've seen a lot of this in my server logs - SEARCH \220^B\261......................lonnnnnnng string. No problems so far as I can detect. The server returns a 404 error but the issue is the wasted bandwidth created by these attempts to crack the server or synflood it.

I was wondering if anyone might have some idea as to how to filter these requests so that the server simply does not respond. Sort of like sending output to null in Unix: >/dev/null 2>&1.

These attacks originate mostly in Asia, I Googled the string but found nothing. Has anyone else seen this form of attack?

TIA

Collapse
2: Re: Crack attempts and wasted bandwidth (response to 1)
Posted by David Walker on 04/12/04 01:14 PM
Yes. I filter and monitor all SEARCH requests and I have been seeing plenty of those.

Since SEARCH is a webdav command I assume the following would prevent webdav from working.  The filter as written also block .exe, .dll, .ida etc file requests.

Personally I log the requests but you could change it to ignore them.

proc vt_notfound_from_filter {conn args why} {
    # decided this one is harmless enough for an exception to the dll rule
        if {[lsearch -glob [list {/_vti_bin/owssvr.dll}] [ns_conn url]] > -1} {
                return filter_ok
        }

        set host_header [ns_set iget [ns_conn headers] "Host"]
        ns_log error "FROM=\"[ns_conn peeraddr]\",MSG=\"Intrusion attempt\",TARGET=\"[ns_conn method] ${host_header}[ns_conn url]?[ns_conn query]\""
        ns_returnforbidden
        return filter_return
}

foreach pat [list *.bak* *.inc *.swt *CVS* *.ida *.exe* *.dll* /includes* /cgi-bin*] {
        # do not serve backup or include files and log attempts to hit them
        ad_register_filter preauth GET ${pat} vt_notfound_from_filter
        ad_register_filter preauth POST ${pat} vt_notfound_from_filter
        ad_register_filter preauth HEAD ${pat} vt_notfound_from_filter
}

foreach pat [list BCOPY BDELETE BMOVE BPROPFIND BPROPPATCH COPY DELETE LOCK MKCOL MOVE NOTIFY POLL PROPFIND SEARCH SUBSCRIBE UNLOCK UNSUBSCRIBE PUT CONNECT] {
        # do not serve backup or include files
        ns_register_filter preauth ${pat} * vt_notfound_from_filter
}

Collapse
3: Re: Crack attempts and wasted bandwidth (response to 1)
Posted by Randy Ferrer on 04/12/04 01:54 PM

Hi David - Thanks a million for the filter. Where do you run this from? I imagine the best place is the /tcl/*init.tcl file?

BTW I'm also noticing a few "NULL.printer" requests in the log files. Is this webdav stuff as well?

Thanks!!

Collapse
4: Re: Crack attempts and wasted bandwidth (response to 1)
Posted by David Walker on 04/12/04 02:11 PM
I am not sure about the best place to run it since I am running this filter on a server that runs OpenACS 3.something.

NULL.printer is an (another) attempt to exploit the default settings on an IIS server.