Re: Cod Red HELP!!!!

[Ralf Hildebrandt <Ralf.Hildebrandt () innominate com>]

On Tue, Aug 07, 2001 at 07:51:59AM -0500, Advanced Hosting UNIX Admin Daniel Fairchild wrote:

> we are having issues with code red on our unix servers we have 508 IPs per 
> server and the Code Red scanning is acting like a Massive DDoS on our unix 
> machines we are getting all these requests for default.ida and we are trying 
> to figure out how to block it 

a) You could add a Squid in front of your boxes in http_acceleration
   mode -- it would considerably ease the load on your boxes.

b) Shouldn't the CodeRed scanning just result in a negative hit, e.g.
   a "File not found"?

c) You can't block it, because it legitimate port 80 traffic -- but
   maybe a aaplication level proxy in fron (Squid, again) would help.
   It would block all access to URL containing default.ida

-- 
ralf.hildebrandt () innominate com                            innominate AG
Technical Consultant                   Don't be afraid of what you see -
Diplom-Informatiker                     be afraid of what you don't see!
tel: +49.(0)7000.POSTFIX                        fax: +49.(0)30.308806-77


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users