[42609] in North American Network Operators' Group
Re: Worm probes
daemon@ATHENA.MIT.EDU (Joseph McDonald)
Tue Sep 18 13:14:54 2001
Date: Tue, 18 Sep 2001 09:51:43 -0700
From: Joseph McDonald <joe@vpop.net>
Reply-To: Joseph McDonald <joe@vpop.net>
Message-ID: <122071095343.20010918095143@vpop.net>
To: nanog@merit.edu
In-Reply-To: <20010918135431.27315.qmail@smx.pair.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Errors-To: owner-nanog-outgoing@merit.edu
spc> Has anyone else been seeing a dramatic increase in /scripts/.. NT worm
spc> probes this morning? We're seeing about 8000/second, starting around 9:15
Yes. We are seeing it here bigtime. Does anyone have any apache hacks
to lessen the impact? One idea: Once a probe is sent, the prober's
IP# is stored in a hash (perhaps in shared memory or a mmap'd file
that all children can share) and new connections from that IP are no
longer accepted.
thanks,
-joe
