[fretlessjazz]

I run Rails and became tired of seeing 404s to standard ASP or PHP software (such as phpmyadmin), so I added this to our Apache conf:

RewriteRule \.(asp|aspx|php|jsp)$ - [F,L,NC]

RewriteRule (w00tw00t) - [F,L,NC]

RewriteRule (phpmyadmin) - [F,L,NC]

RewriteRule (php-my-admin) - [F,L,NC]

That cuts off those requests before they hit a Rails process and suck up any additional resources.

[mfontani]

On Lighty, I simply have:

    url.redirect = (
        "^(.*)php(.*)$" => "http://www.kernel.org/pub/linux/kernel/v2.6/linux-2.6.37.3.tar.bz2",
        # other stuff
    )

I do not use php on the server.. I don't know if these kits end up downloading the kernel or not, though.

[buro9]

Please don't do this... having bots launch a DDoS attack on kernel.org is not good.

Just throw the request away or return a 404 at the load balancer level.

If you're on Apache use mod_security, if you're not put Varnish in front and configure it to return simple 404 errors on such pages.

But don't mod_rewrite, redirect or otherwise throw traffic onto someone else's server, let alone one that will result in a traffic cost for them.

[T-hawk]

> Please don't do this... having bots launch a DDoS attack on kernel.org is not good.

Yeah, point them at microsoft.com instead! Should be easy to find a hefty service pack or DirectX install for the bots to hit...

[xorglorb]

Even though not all of us like Microsoft, you still shouldn't do this. The best way to handle this is to send random data at 10b/s and slow down the bots.

[jokermatt999]

It'd be interesting to keep a list of the bots, and randomly redirect the traffic back at them. My first thought was that this would mess up people who unknowingly have a bot on their computer, but then I realized this might actually make them look into getting their computer fixed.

Am I missing something here, or is this actually a decent idea?

[amalcon]

I suppose you could always redirect to 127.0.0.1. Maybe even go for a port that's likely to be open on a statistically random compromised system, like 135 (Windows DCOM, can't close it to localhost without breaking like half the system).

Edit: I just tried this in IE on my Win box; the connection even stayed open for a good long time! Firefox blocked it, though, which is probably good.

[drzaiusapelord]

I doubt these bots can handle the redirect request. Its js and I don't see why someone would code to support it. Maybe someone better informed than me can say whether curl or wget respect redirect by default.

[adrianN]

There is an extension to iptables that adds a TARPIT target

http://xtables-addons.sourceforge.net/

[dalore]

Better would be to redirect to a third party service that offers that.

[ultrasaurus]

Are there any? I think that's weekend-project sized and donations could support it.

[blhack]

Is there a javascript folding@home client? A better move would be to make bots do something useful for humanity.

[mbreese]

Yeah, I'm not sure that kernel.org is the right way to go here... plus, I'm pretty sure they'll not be happy.

But, I do wonder if there is some other way to do the same thing. Perhaps we could setup some kind of tarpit like server that sends out a file very slowly... like .1K / sec (~1 packet every 10 secs). Just enough to keep their connection alive, but slow enough to not use too much bandwidth.

But, I'm not sure if this would be any better than just sending a 404 quickly.

[tvon]

I'm not sure kernel.org would appreciate that.