Nick Guenther wrote:
No it's not possible to bypass the handshake. These must be zombie
hosts. Compromised Windows boxes go for 5cents, I hear. You should try
to figure out who would want to do this to you.
Well finding the source of this as you can imagine is not that easy.
In my database right now I am up to 5241 IP's starting at 2PM today only.
I sure can publish it as it's fair game.
But what's interesting to me is the signature.
If I follow this idea, then every single compromise computers in my list
have to be Windows, all with the same service pack, browser, etc.
Obviously if all the same then all have the same bug and can be
compromise the same way. But still.
Yeap, sometime I express myself vocally, but using over that many
computer to get back to me. I am not that important, or may be I am and
didn't know it! (;>
But s this is going on, it's a good time as any to find ways to combat
this and that's what I am looking into. Right now, I sure trap all the
source in my SQL database, with the last time of the try and the number
of time it was done, etc. After that spitting this and add it to PF
table is no big deal, but at the same time, I wanted to make sure it's
really the case and how top be sure and not block legitimate source.
That's why I was looking at the possibility to have the source not be
from the IP's it said it was somehow and that's why I thought to the
three step TCP handshake. If that's really not possible to send a get
request blindly and have apache reply with content without doing the
handshake first, then that exclude my question on not be from the IP it
said it is from.
The good news is that this gives me a live lab to test with.
The bad news is that this is from heavy web servers as well, but they
handle the load well so far. Got to love OpenBSD I tell you!
Still, I am looking at various ideas if anyone have suggestions that
would be appreciated.
In the end if I understand you well, doing any SYNC Proxy setup wouldn't
do anything what so ever here. It was a nice thought anyway.
Best,
Daniel
