[42628] in North American Network Operators' Group
Re: Worm probes
daemon@ATHENA.MIT.EDU (Jeff Gehlbach)
Tue Sep 18 14:41:44 2001
Date: Tue, 18 Sep 2001 13:45:44 -0400
From: Jeff Gehlbach <jeffg@empire.com>
To: Joseph McDonald <joe@vpop.net>
Cc: nanog@merit.edu
Message-ID: <20010918134543.A26444@empire.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <122071095343.20010918095143@vpop.net>; from joe@vpop.net on Tue, Sep 18, 2001 at 09:51:43AM -0700
Errors-To: owner-nanog-outgoing@merit.edu
On Tue, Sep 18, 2001 at 09:51:43AM -0700, Joseph McDonald wrote:
> One idea: Once a probe is sent, the prober's
> IP# is stored in a hash (perhaps in shared memory or a mmap'd file
> that all children can share) and new connections from that IP are no
> longer accepted.
Better yet, set a host route for them with next hop set to 127.0.0.1.
That assumes that you don't want infected hosts talking to your host at
all.
--
Jeff Gehlbach, Concord Communications <jgehlbach@concord.com>
Senior Professional Services Consultant, Atlanta
ph. 770.384.0184 fax 770.384.0183
