For Apache servers getting hammered with Code Red hits, one solution is this addition to your httpd.conf files in Apache:


This will help keep the load off your web server and put the load where it belongs, sending the probes to the originator. Seems only fair and ethical to return the probe to the originator.

/me ROTFL

Will this really lower the load on your web server? Assuming you are running Apache, then /default.ida probably doesn't exist anyway, which would mean the server sends a 404 Not Found response. With this Redirect, it just sends a 302 Redirect response instead. i don't think it would save you many bytes.

Well, not to defend Microsoft, but technically they are not the "originator". IIS is just a "carrier" for the virus.


Its a funny idea though ...

No, it does not really lower the load on Apache servers. It is just a fun idea

When default.ida does not exist, the return code is 400:

After redirect the return code is 302:

I did this the other day on my company's server; couldn't resist.

Neo said:

Seems only fair and ethical to return the probe to the originator.

Yes, if Microsoft wouldn't release such buggy code, they wouldn't be in the mess they are.

Another interesting solution:

http://www.dasbistro.com/default.ida


A perl script which finds the technical contact by checking the SOA record for each IP that connects and sends them a friendly email...


Or here's another one:

http://www.dynwebdev.com/codered/

which pops up a window on the attacking machine using Java and "net send".


Or yet another which attempts to slow the attack process by getting the attacker caught waiting for TCP timeouts:

http://www.hackbusters.net/CodeRedneck.tgz