[42623] in North American Network Operators' Group
Re: Worm probes
daemon@ATHENA.MIT.EDU (z@s0be.net)
Tue Sep 18 14:17:52 2001
Date: Tue, 18 Sep 2001 10:31:35 -0700 (PDT)
From: <z@s0be.net>
To: Joseph McDonald <joe@vpop.net>
Cc: <nanog@merit.edu>
In-Reply-To: <122071095343.20010918095143@vpop.net>
Message-ID: <Pine.GSO.4.33.0109181026040.7552-100000@power.s0be.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Errors-To: owner-nanog-outgoing@merit.edu
On Tue, 18 Sep 2001, Joseph McDonald wrote:
>
>
> spc> Has anyone else been seeing a dramatic increase in /scripts/.. NT worm
> spc> probes this morning? We're seeing about 8000/second, starting around 9:15
>
> Yes. We are seeing it here bigtime. Does anyone have any apache hacks
> to lessen the impact? One idea: Once a probe is sent, the prober's
> IP# is stored in a hash (perhaps in shared memory or a mmap'd file
> that all children can share) and new connections from that IP are no
> longer accepted.
<--( SNIP )-->
That would still allow the malicious network traffic to traverse your
network.
I'm not seeing more than about 60 unique hosts that are scanning ( YMMV
), so that isn't a huge hit for me ACL-wise ( again YMMV ). Your choice,
let them bang on your router or your web servers. Depends on your
situation.
.z
