Hi Everyone:

My site has been getting hit by the same IP for 2 days, every half hour. 500 hits and counting. I've written to the isp(qwest.net) no response. I've read to deny the ip in the .htaccess file but that still serves a forbidden page. I've read I should make a 1 byte cmd.exe, and I've read making that file will only make it worse. So, What's the best way to handle this in terms of limiting bandwidth? And if anyone has a redirect script I'd love to see it.

Thanx - Karen

I can't really tell you how much this helps, but I use the following commands in .htaccess in the top-level directory:
Redirect 410 /scripts
Redirect 410 /MSADC
Redirect 410 /c
Redirect 410 /d
Redirect 410 /_mem_bin
Redirect 410 /msadc
RedirectMatch 410 (.*)\cmd.exe$

The 410 code indicates that the resource is gone, removed, kaput (see http://httpd.apache.org/docs/mod/mod_alias.html#redirect) and hopefully cuts down on the repeats. Certainly can't hurt.

Thanks Dave, I'll try it and let you know if it works.

-Karen

It doesn't work at all :(

If anyone reading this is interested in how to limit the bandwidth that nimbda wastes, here's a site I found some useful info at: http://www.thesitewizard.com/news/nimbdaworm.shtml
At the end of his article he gives step by step instructions for dealing with this nuisance. Hope it helps!

A layer 7(?) filter for all FQ sites would be easier for all (if more resource intensive); although I'd guess FQ's routers may not filter content (url).

Another possibility is whether Nimda hits can be dealt with at the apache config (httpd.conf) level without getting a noticable performance hit.

Originally posted by techgirl:
It doesn't work at all :(
What does that mean? In my case (interesting correlation to the link you provide), my 404 page is about 10k (10,800 bytes). The 410 error is only a few dozen bytes. That is an improvement in my mind. *If* (big if) the 410 makes them go away, great. If not, at least the bandwidth consumed is relatively small.

I didn't realize you were using the 410 to reduce bandwidth. I thought the code would put an end to the activity, but it seemed it made it more persistent. Although, I realize that the increase in activity might have had nothing to do with the modifications you suggested for the .htaccess. Also, where in the logs can you see the difference between sending a 410, 403, or 404 error? I can only find summaries for bandwidth or for files not found. At any rate, I really did appreciate the fact that you took the time to try to help.

Thanks Again - Karen

Karen --

If you find a way to completely stop the activity I will kiss you, and there will be thousands of people standing in line behind me to do the same thing. Heck, I'd kiss hobbes if he came up with a real solution.

From looking at the logs, it appears to me that every time Nimbda hits my site it hits 16 times, looking for 16 different files. My first goal was to reduce the bandwidth associated with each request; I ended up with the 410 redirection idea to avoid sending my 10k 404 page.

Your question caused me to look at just what is really sent when my 410 goes out. It turns out that I send 526 bytes:

HTTP/1.1 410 Gone
Date: Sat, 07 Sep 2002 13:41:26 GMT
Server: Apache
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>410 Gone</TITLE>
</HEAD><BODY>
<H1>Gone</H1>
The requested resource<BR>/scripts/..Á{../winnt/system32/cmd.exe<BR>
is no longer available on this server and there is no forwarding address.
Please remove all references to this resource.
<HR>
<ADDRESS>Apache/1.3.26 Server at www.skolnick.org Port 80</ADDRESS>
</BODY></HTML>

Better, but more than I expected. I got it down to 357 bytes by defining a 410 document, 410.html

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>Go Away</TITLE>
</HEAD><BODY>
<H1>Go Away</H1>
</BODY></HTML>

Not too bad. I got it down to 220 bytes by making 410.html a zero byte file. All good. Thank you for causing me to look, and finding a way to cut the bandwidth by more than half.

As to how, I telnet into my website (telnet my_domain 80) and type

GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0

followed by two carriage returns. I cut and paste the response into Word and run Tools/Word Count on it. Add the number for "Characters (with spaces)" with "Lines" and you get the number of bytes transferred.

The hope that the 410 error might make Nimbda (or at least that one particular Nimbda) go away is admittedly wishful thinking.

Our choices are limited:

301 - the resource has moved permanently
302 - the resource has moved temporarily
303 - the resource has been replaced
403 - access to the resource is forbidden
404 - the resource was not found
410 - the resource is gone
500 - internal server error

See the HTTP specification (http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html) for a complete list of status codes. I thought 410 made the most sense.

If someone has done a forensic analysis of Nimbda and can better describe how it reacts (if at all) to response codes we could make a better choice.

If Nimbda actually follows redirects, I'd be tempted to write a little Perl script to get the remote address and generate a 301 error pointing back at the machine with Nimbda on it. Let it pound on itself for a while.

Relevant, if something of a digression, is this discussion (http://www.garshol.priv.no/download/text/http-tut.html) of HTTP and CGI that addresses what is going on in an HTTP transaction (in English, not RFCese).

Great Information! I'm a total newbie (my 1st website) so all of your help is much appreciated.

Thanks Again - Karen

Welcome aboard. Your web site is a heck of a job for a first shot. Beat's the heck out of my "I am Dave" first effort!

Thanks I always wanted to learn more about web design, web servers etc but never had the time til now.

However, I could do a whole new site helping people avoid all the mistakes I made!

Anyway, Thanks Again for taking the time to offer so much information.

- Karen
(a lover of liveaboard diving) haha I read your profile.