Christopher Schultz wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Chris,
On 4/20/13 6:08 PM, chris derham wrote:
I think that you have articulated your suggestion very well. I
think you have weighed the pros well and been open to debate.
Personally I just don't think what you propose will have the effect
that you desire.
I agree. Most of these scanners only scan a few URLs every few seconds
in order to avoid being branded as vulnerability-scanners, so adding a
delay to them won't really change anything.
Chris,
with respect, I believe that you are mistaken. My own server logs, over a quite long
period of time, show that the majority of these scans happen according to a rather
systematic pattern like the one I posted earlier in this thread, with a relevant portion
re-posted below.
That is :
- one origin IP per scan
- approximately 3-4 requests per second
- 10 to 30 URLs per "session"
The particular scan shown below started at 00:52:32 and ended at 00:52:49,
after scanning
36 different URLs. In elapsed time, including the pauses that it undeniably makes, that
is 17 seconds. The server in question normally responds to such requests in less that 10
ms. Excluding the pauses thus, it took this bot 36 x 10 ms = 0.36 s "real time" to scan
the 36 URLs (excluding network latency, which is probably about 50 ms per URL).
If the server added an average 1 s pause to each 404 response, it would have taken the bot
36 seconds "real time" to make the same scan. That is 100 times more.
Now, no matter how smart the bot is in doing this kind of scan, if the 404's are delayed,
the fact of the matter is that it will always cost the bot these extra 36 seconds to
finish the same job.
For example, the probability is high that the bot pauses between URLs, so that as you say
it will not be locked-out or detected by some kinds of tools.
If it is smart, it could use the pauses between scans on this server, to scan several
other ones at the same time, in an interleaved fashion, so that on none of the scanned
servers it will be issuing more than 3-4 requests per second, but in total it will be
issuing many more.
Well, no matter how you put this, if some relatively small proportion of these servers
delay their 404 responses, the bot will still experience a dramatic slowdown in scanning
any given number of URLs on any given number of servers.
Unless the bot is really smart enough to detect in advance that this server is going to
artificially slow down its 404 responses, and in consequence avoids scanning it, I do not
see how it could possibly avoid this slowdown, if scanning URLs is what it does.
So, there are 2 possibilities :
- if the bot is not so smart and scans nevertheless, then within any given period of time,
it will be able to scan only a small fraction of the URLs that it was planning to scan. In
which case the WWW at large benefits.
- if the bot is so smart and avoids scanning my server, then the WWW at large does not
benefit, but my server does.
Please, prove to me that I am wrong. It would at least save me the energy to continue
trying to convince people to try this out.
Access log sample :
209.212.145.91 - - [03/Apr/2013:00:52:32 +0200] "GET /muieblackcat HTTP/1.1" 404 362 "-"
"-"
209.212.145.91 - - [03/Apr/2013:00:52:36 +0200] "GET //admin/index.php HTTP/1.1" 404 365
"-" "-"
209.212.145.91 - - [03/Apr/2013:00:52:36 +0200] "GET //admin/pma/index.php HTTP/1.1" 404
369 "-" "-"
209.212.145.91 - - [03/Apr/2013:00:52:36 +0200] "GET //admin/phpmyadmin/index.php
HTTP/1.1" 404 376 "-" "-"
209.212.145.91 - - [03/Apr/2013:00:52:37 +0200] "GET //db/index.php HTTP/1.1" 404 362 "-"
"-"
209.212.145.91 - - [03/Apr/2013:00:52:37 +0200] "GET //dbadmin/index.php HTTP/1.1" 404 367
"-" "-"
209.212.145.91 - - [03/Apr/2013:00:52:37 +0200] "GET //myadmin/index.php HTTP/1.1" 404 367
"-" "-"
209.212.145.91 - - [03/Apr/2013:00:52:37 +0200] "GET //mysql/index.php HTTP/1.1" 404 365
"-" "-"
209.212.145.91 - - [03/Apr/2013:00:52:38 +0200] "GET //mysqladmin/index.php HTTP/1.1" 404
370 "-" "-"
209.212.145.91 - - [03/Apr/2013:00:52:38 +0200] "GET //typo3/phpmyadmin/index.php
HTTP/1.1" 404 376 "-" "-"
209.212.145.91 - - [03/Apr/2013:00:52:38 +0200] "GET //phpadmin/index.php HTTP/1.1" 404
368 "-" "-"
209.212.145.91 - - [03/Apr/2013:00:52:39 +0200] "GET //phpMyAdmin/index.php HTTP/1.1" 404
370 "-" "-"
209.212.145.91 - - [03/Apr/2013:00:52:39 +0200] "GET //phpmyadmin/index.php HTTP/1.1" 404
370 "-" "-"
209.212.145.91 - - [03/Apr/2013:00:52:39 +0200] "GET //phpmyadmin1/index.php HTTP/1.1" 404
371 "-" "-"
209.212.145.91 - - [03/Apr/2013:00:52:40 +0200] "GET //phpmyadmin2/index.php HTTP/1.1" 404
371 "-" "-"
209.212.145.91 - - [03/Apr/2013:00:52:40 +0200] "GET //pma/index.php HTTP/1.1" 404 363
"-" "-"
209.212.145.91 - - [03/Apr/2013:00:52:40 +0200] "GET //web/phpMyAdmin/index.php HTTP/1.1"
404 374 "-" "-"
209.212.145.91 - - [03/Apr/2013:00:52:40 +0200] "GET //xampp/phpmyadmin/index.php
HTTP/1.1" 404 376 "-" "-"
209.212.145.91 - - [03/Apr/2013:00:52:44 +0200] "GET //php-my-admin/index.php HTTP/1.1"
404 372 "-" "-"
209.212.145.91 - - [03/Apr/2013:00:52:44 +0200] "GET //websql/index.php HTTP/1.1" 404 366
"-" "-"
209.212.145.91 - - [03/Apr/2013:00:52:44 +0200] "GET //phpmyadmin/index.php HTTP/1.1" 404
370 "-" "-"
209.212.145.91 - - [03/Apr/2013:00:52:45 +0200] "GET //phpMyAdmin/index.php HTTP/1.1" 404
370 "-" "-"
209.212.145.91 - - [03/Apr/2013:00:52:45 +0200] "GET //phpMyAdmin-2/index.php HTTP/1.1"
404 372 "-" "-"
209.212.145.91 - - [03/Apr/2013:00:52:45 +0200] "GET //php-my-admin/index.php HTTP/1.1"
404 372 "-" "-"
209.212.145.91 - - [03/Apr/2013:00:52:46 +0200] "GET //phpMyAdmin-2.2.3/index.php
HTTP/1.1" 404 376 "-" "-"
209.212.145.91 - - [03/Apr/2013:00:52:46 +0200] "GET //phpMyAdmin-2.2.6/index.php
HTTP/1.1" 404 376 "-" "-"
209.212.145.91 - - [03/Apr/2013:00:52:46 +0200] "GET //phpMyAdmin-2.5.1/index.php
HTTP/1.1" 404 376 "-" "-"
209.212.145.91 - - [03/Apr/2013:00:52:47 +0200] "GET //phpMyAdmin-2.5.4/index.php
HTTP/1.1" 404 376 "-" "-"
209.212.145.91 - - [03/Apr/2013:00:52:47 +0200] "GET //phpMyAdmin-2.5.5-rc1/index.php
HTTP/1.1" 404 380 "-" "-"
209.212.145.91 - - [03/Apr/2013:00:52:47 +0200] "GET //phpMyAdmin-2.5.5-rc2/index.php
HTTP/1.1" 404 380 "-" "-"
209.212.145.91 - - [03/Apr/2013:00:52:47 +0200] "GET //phpMyAdmin-2.5.5/index.php
HTTP/1.1" 404 376 "-" "-"
209.212.145.91 - - [03/Apr/2013:00:52:48 +0200] "GET //phpMyAdmin-2.5.5-pl1/index.php
HTTP/1.1" 404 380 "-" "-"
209.212.145.91 - - [03/Apr/2013:00:52:48 +0200] "GET //phpMyAdmin-2.5.6-rc1/index.php
HTTP/1.1" 404 380 "-" "-"
209.212.145.91 - - [03/Apr/2013:00:52:48 +0200] "GET //phpMyAdmin-2.5.6-rc2/index.php
HTTP/1.1" 404 380 "-" "-"
209.212.145.91 - - [03/Apr/2013:00:52:49 +0200] "GET //phpMyAdmin-2.5.6/index.php
HTTP/1.1" 404 376 "-" "-"
209.212.145.91 - - [03/Apr/2013:00:52:49 +0200] "GET //phpMyAdmin-2.5.7/index.php
HTTP/1.1" 404 376 "-" "-"
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
