Streaming virtual files

It is common for malicious attackers to scan web sites for vulnerabilities. They use security scanners like Nessus to explore the target web sites for scripts that are known to have vulnerabilities. An analysis of web server logs from a scanned machine or directly in the Nessus database reveals that most of the known vulnerabilities are in PHP scripts and ASP scripts. Since we are running web2py, we do not have those vulnerabilities, but we will still be scanned for them. This is annoying, so we like to respond to those vulnerability scans and make the attacker understand their time is being wasted.

One possibility is to redirect all requests for .php, .asp, and anything suspicious to a dummy action that will respond to the attack by keeping the attacker busy for a large amount of time. Eventually the attacker will give up and will not scan us again.

This recipe requires two parts.

A dedicated application called jammer with a “default.py” controller as follows:

  1. class Jammer():
  2.    def read(self, n): return 'x'*n
  3. def jam(): return response.stream(Jammer(), 40000)

When this action is called, it responds with an infinite data stream full of “x”-es. 40000 characters at a time.

The second ingredient is a “route.py” file that redirects any request ending in .php, .asp, etc. (both upper case and lower case) to this controller.

  1. route_in=(
  2.  ('.*.(php|PHP|asp|ASP|jsp|JSP)', 'jammer/default/jam'),
  3. )

The first time you are attacked you may incur a small overhead, but our experience is that the same attacker will not try twice.