nanog mailing list archives

Re: Worm probes

From: <z () s0be net>
Date: Tue, 18 Sep 2001 10:31:35 -0700 (PDT)




On Tue, 18 Sep 2001, Joseph McDonald wrote:



spc> Has anyone else been seeing a dramatic increase in /scripts/.. NT worm
spc> probes this morning?  We're seeing about 8000/second, starting around 9:15

Yes. We are seeing it here bigtime.  Does anyone have any apache hacks
to lessen the impact?  One idea:  Once a probe is sent, the prober's
IP# is stored in a hash (perhaps in shared memory or a mmap'd file
that all children can share) and new connections from that IP are no
longer accepted.



<--( SNIP )-->


  That would still allow the malicious network traffic to traverse your
network.

  I'm not seeing more than about 60 unique hosts that are scanning ( YMMV
), so that isn't a huge hit for me ACL-wise ( again YMMV ).   Your choice,
let them bang on your router or your web servers.   Depends on your
situation.

.z

Current thread:

Re: Worm probes, (continued)
- - - Re: Worm probes Ulf Zimmermann (Sep 18)
    - Re: Worm probes k claffy (Sep 18)
    - Re: Worm probes Joe Abley (Sep 18)
- Re: Worm probes Daniel Senie (Sep 18)
- Re: Worm probes Hermann Wecke (Sep 18)
- Re: Worm probes Joseph McDonald (Sep 18)
  - Re: Worm probes Daniel Senie (Sep 18)
  - Re: Worm probes Iljitsch van Beijnum (Sep 18)
    - Re: Worm probes M. David Leonard (Sep 19)
    - Re: Worm probes Brett Frankenberger (Sep 19)
  - Re: Worm probes z (Sep 18)
  - Re[2]: Worm probes David Ulevitch (Sep 18)
    - Re: Re[2]: Worm probes Nick Thompson (Sep 18)
    - Re: Re[2]: Worm probes Rafi Sadowsky (Sep 18)
  - Re: Worm probes Jeff Gehlbach (Sep 18)
- RE: Worm probes Don Lundquist (Sep 18)
- RE: Worm probes Smith, Rick (Sep 18)
  - Re: Worm probes Ulf Zimmermann (Sep 18)
    - Re: Worm probes Jared Mauch (Sep 18)
    - Re: Worm probes sigma (Sep 18)
- RE: Worm probes Los, Ralph (Sep 18)

(Thread continues...)