[Zope] Responding to hackers

Skip Montanaro skip@pobox.com
Fri, 25 Oct 2002 12:11:11 -0500


    Dylan> I'm sure we've all seen our servers get scanned repeatedly for
    Dylan> vulnerabilities in other systems....

    Dylan> All of these calls are currently getting the customary 404, but I
    Dylan> wonder if there's anything more intelligent or proactive to be
    Dylan> done.

You might be able to slow them down.  Depending what sort of control you
have over the HTTP bits stuffed on the wire, when you encounter requests for
such pages, you can have the thread serving the connection slow its
responses to a crawl, issue "100 Continue" responses, etc.  In the mail spam
world this is generally called "teergrubing".  The challenge of identifying
suspect clients is easier with HTTP than with SMTP.  HTTP clients have to
ask for a page you recognize as clearly a scan for holes in your system.  In
SMTP you have to infer the other end is a bad guy based upon the remote IP
address.

It should be fairly easy to extend the httplib module to crawl when asked.

-- 
Skip Montanaro - skip@pobox.com
http://www.mojam.com/
http://www.musi-cal.com/