From travis+ml-dfd at subspacefield.org Fri Aug 27 18:27:33 2010 From: travis+ml-dfd at subspacefield.org (travis+ml-dfd at subspacefield.org) Date: Fri, 27 Aug 2010 16:27:33 -0700 Subject: [DFD] idea: source taint daemon (staintd) Message-ID: <20100827232733.GA10334@subspacefield.org> I was musing over my web logs today and the output of some analytics packages. I see a number of doofuses trying to look for vulnerable PHP scripts, and I think "you know, get enough 404s trying those and I should do something automatically". I also see a few attempts to do invalid HTTP protocols. Again, someone is up to no good, or doing something dumb - hard to tell. And then there's the whole bot-trap thing. You put something in your robots.txt that is only there to catch people who read robots.txt and then try to crawl it. You should really block those guys. So, while musing over the "you know, I should do something about this" and thinking about DFD and the desirability of a flexible response, one that isn't "all or nothing", but allows legitimate users to do a few minorly dumb things before it blocks them. It also allows me to time-decouple the response from the detection event. It occured to me that I could quite easily set up a daemon - I'll call it staintd - that allows other programs to "taint" the source IPs as being naughty. Presumably, after racking up some number of points against these people, I'd take action. And I don't believe in taking this action only on the web server; if someone was trying to haxor my web server, why let them talk to port 25? Why do access control in every app? So DFD is the natural choice. So I'm throwing this idea out there... a daemon that tracks naughty source IPs, and when they've been naughty enough, triggers a rule change via DFD. What exactly that rule change is, or what you consider naughty, or how naughty you consider things, is up to you. Oh yes; for those who are interested, the dfd_keeper page has an excellent sample transcript now. -- It asked me for my race, so I wrote in "human". -- The Beastie Boys My emails do not have attachments; it's a digital signature that your mail program doesn't understand. | http://www.subspacefield.org/~travis/ If you are a spammer, please email john at subspacefield.org to get blacklisted. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 833 bytes Desc: not available URL: