[42616] in North American Network Operators' Group
Re: Worm probes
daemon@ATHENA.MIT.EDU (Daniel Senie)
Tue Sep 18 13:46:39 2001
Message-Id: <5.1.0.14.2.20010918132603.03ea8c20@mail.amaranth.net>
Date: Tue, 18 Sep 2001 13:26:53 -0400
To: Joseph McDonald <joe@vpop.net>, nanog@merit.edu
From: Daniel Senie <dts@senie.com>
In-Reply-To: <122071095343.20010918095143@vpop.net>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
Errors-To: owner-nanog-outgoing@merit.edu
At 12:51 PM 9/18/01, Joseph McDonald wrote:
>spc> Has anyone else been seeing a dramatic increase in /scripts/.. NT worm
>spc> probes this morning? We're seeing about 8000/second, starting around
>9:15
>
>Yes. We are seeing it here bigtime. Does anyone have any apache hacks
>to lessen the impact? One idea: Once a probe is sent, the prober's
>IP# is stored in a hash (perhaps in shared memory or a mmap'd file
>that all children can share) and new connections from that IP are no
>longer accepted.
Or better: script which causes a filter rule to be added to ipchains list,
blocking all ports.
-----------------------------------------------------------------
Daniel Senie dts@senie.com
Amaranth Networks Inc. http://www.amaranth.com
