I definitely agree bots are underserved, I have a few things I do to keep them entertained, ssh bots are tar-pitted to keep them connected but busy, my hope is that I occupy at least one thread of not the whole process.
For wp-login bots I serve them a nice chunk of random (generated by a fuzzer) html in the hopes that 1. It wastes abit of their bandwidth/memory and 2. it crashes their parser
In reality I guess bots nowadays are sturdy enough to not get stuck or crash but who knows, feels good to do something :-)
I blocked almost all wp-login bots just using bot fight mode in Cloudflare few months ago along with some CF page rules to run an interstatial. It seems to losing effectiveness over time though, and since I do have WP-login, I wonder how I can implement something like your idea.
Maybe rename the legit login and put this in its place, but that would cause issues for redirects from the legit login link...
Every time I read about ssh tarpits I wish I had a reason to set up one in my VPS. Alas it's much easier to use the VPS provider's network access rules to block all incoming traffic to tcp/22 that isn't from my IP.
> I’m half joking, but if we can have HTTP 418 I’m a Teapot then there is enough room in the HTTP standard for the more useful HTTP 419 Never Gonna Give You Up error code.
Actually, there was a proposal to remove the 418 code formally, but in the end it was grandfathered in. Unfortunately, unless you have convinced a lot of people to allow 419, it would be not allowed anymore (even in a April Fools' RFC) according to the established protocol of IANA controlling the allocation of error codes, and IANA no longer allow "joke" allocations unless there was an RFC clarifying why that particular code must exists in a non-joking manner (see 451, in homage to Fahrenheit 451 but is the recommended code for a informed block). Even 418 was technically only reserved in such a way that allows it to be overridden in case that a good demonstration that 418 should be the code for that error.
The thing that really disappoints me is that 418 I'm a Teapot isn’t registered—instead it’s reserved as “(Unused)”: https://www.iana.org/assignments/http-status-codes/http-stat..., https://www.ietf.org/archive/id/draft-ietf-httpbis-semantics.... As it stands, I suspect (as one that’s been involved in a couple and examined more back in 2013–2014) that most even vaguely recent HTTP libraries that have some kind of status code enum or constants defined take their data from the HTTP status codes registry, with a single exception for 418 I'm a Teapot.
As far as a 419 is concerned, I’d argue that 418 is already suitable anyway as a joke alternative to the more serious 429/503: “wp-admin.php? I’m not WordPress, I’m a teapot!” (Similar style to the joke about one cow warning another about the mad cow disease in the area, and the other responding that it’s not not worried because it’s a helicopter.)
IANA controls http codes only insofar as no one has told them to knock it off yet. There's no major interop risk from conflicting (200, 400, 500) codes in the way there is for other namespaces because the semantics are essentially contained only in the first digit.
If you're aware that someone is doing penetration tests on your system, but their probing isn't significantly costing you resources, wouldn't you instead just give some generic response to not clue them into you knowing their intention? There's a lot of people who basically do that with scam callers by just leading them on and wasting the scammers time.
I used to do something along this line. If I saw a bot then I would use ACL's in haproxy to serve up some static pages from memory that contained strings their request was looking for. This of course attracted more bots. It didn't cost me anything aside from making my logs a bit more noisy, so I disabled logging for the bots. Then I found a funny side effect of shodan showing my nodes being vulnerable to many things. That was a blemish so I disabled the ACL's. In hind-sight and knowing how bot farms work it wasn't really wasting anyone's time or resources but was a fun little learning exercise.
You could but it's extra work to build that into the application while you could use a generic off the shelf WAF / IDS type solution that just blocks them. Won't fully stop a targeted manual attack but it is enough to make bots move on to their next target. And it slows down any manual reconnaissance work.
I like the spirit of the idea, but messing with bots and script kiddies is best kept a highly local thing.
You don't need a standardized error code to signal to a red team, you can say "hi" in a number of different ways, depending on what they're poking at. And if everyone is doing the same thing to script kiddies, well, where's the sport in that?
If the requirement is that client should follow the redirect, one should not use a 4xx status code. I think “319 never gonna give you up” is more adequate
[+] [-] gnyman|4 years ago|reply
For wp-login bots I serve them a nice chunk of random (generated by a fuzzer) html in the hopes that 1. It wastes abit of their bandwidth/memory and 2. it crashes their parser
In reality I guess bots nowadays are sturdy enough to not get stuck or crash but who knows, feels good to do something :-)
Tarpit instructions https://nyman.re/super-simple-ssh-tarpit/
Wp-login page https://twitter.com/gnyman/status/1181652421841436672?s=20
And I remembered another nice trick which someone else came up with, zip bomb the bots :-)
https://blog.haschek.at/2017/how-to-defend-your-website-with...
[+] [-] SCHiM|4 years ago|reply
It won't work on the more sturdy samples, but maybe try a GZIP bomb on https streams: https://www.infosecmatter.com/metasploit-module-library/?mm=...
[+] [-] rexfuzzle|4 years ago|reply
[+] [-] inside65|4 years ago|reply
Maybe rename the legit login and put this in its place, but that would cause issues for redirects from the legit login link...
[+] [-] Arnavion|4 years ago|reply
[+] [-] gitgud|4 years ago|reply
Just curious, is it legal to host a zip bomb on your website? I would think it would be classified under some kind of Cyber crime....
[+] [-] zinekeller|4 years ago|reply
Actually, there was a proposal to remove the 418 code formally, but in the end it was grandfathered in. Unfortunately, unless you have convinced a lot of people to allow 419, it would be not allowed anymore (even in a April Fools' RFC) according to the established protocol of IANA controlling the allocation of error codes, and IANA no longer allow "joke" allocations unless there was an RFC clarifying why that particular code must exists in a non-joking manner (see 451, in homage to Fahrenheit 451 but is the recommended code for a informed block). Even 418 was technically only reserved in such a way that allows it to be overridden in case that a good demonstration that 418 should be the code for that error.
[+] [-] bigiain|4 years ago|reply
[+] [-] chrismorgan|4 years ago|reply
As far as a 419 is concerned, I’d argue that 418 is already suitable anyway as a joke alternative to the more serious 429/503: “wp-admin.php? I’m not WordPress, I’m a teapot!” (Similar style to the joke about one cow warning another about the mad cow disease in the area, and the other responding that it’s not not worried because it’s a helicopter.)
[+] [-] anonymousiam|4 years ago|reply
https://www.419eater.com/
https://en.wikipedia.org/wiki/419eater.com
[+] [-] bradgessler|4 years ago|reply
[+] [-] unknown|4 years ago|reply
[deleted]
[+] [-] unanswered|4 years ago|reply
[+] [-] spc476|4 years ago|reply
[1] gopher.conman.org
[+] [-] Slade1|4 years ago|reply
[+] [-] LinuxBender|4 years ago|reply
[+] [-] hyperman1|4 years ago|reply
[+] [-] Waterluvian|4 years ago|reply
[+] [-] t0mas88|4 years ago|reply
[+] [-] _jal|4 years ago|reply
You don't need a standardized error code to signal to a red team, you can say "hi" in a number of different ways, depending on what they're poking at. And if everyone is doing the same thing to script kiddies, well, where's the sport in that?
[+] [-] dmitrijbelikov|4 years ago|reply
419 Page Expired (Laravel Framework) Used by the Laravel Framework when a CSRF Token is missing or expired.
[+] [-] throwaway81523|4 years ago|reply
[+] [-] lliamander|4 years ago|reply
[+] [-] omgitsabird|4 years ago|reply
"Shut The Fuck Up" in my framework.
[+] [-] andrethegiant|4 years ago|reply
[+] [-] bradgessler|4 years ago|reply
[+] [-] willcipriano|4 years ago|reply
[+] [-] ufmace|4 years ago|reply
[+] [-] zeepzeep|4 years ago|reply
https://www.youtube.com/watch?v=I3pNLB3Cq24
[+] [-] nunez|4 years ago|reply
[+] [-] dane-pgp|4 years ago|reply
https://i.redd.it/wmwqgt9kbop41.jpg
[+] [-] DeathArrow|4 years ago|reply
[+] [-] hoppla|4 years ago|reply
[+] [-] unknown|4 years ago|reply
[deleted]
[+] [-] unknown|4 years ago|reply
[deleted]
[+] [-] omgitsabird|4 years ago|reply
https://github.com/laravel/framework/blob/a2c557a1b697c46292...
[+] [-] dusted|4 years ago|reply
Side efffects may include:
* Helping bot authors improve their bot so it won't be identified.
* Revealing how good you are at detecting bots.
[+] [-] grodes|4 years ago|reply
[+] [-] ChrisMarshallNY|4 years ago|reply
[+] [-] bencollier49|4 years ago|reply