nanog mailing list archives

Re: Worm probes

From: Jeff Gehlbach <jeffg () empire com>
Date: Tue, 18 Sep 2001 13:45:44 -0400


On Tue, Sep 18, 2001 at 09:51:43AM -0700, Joseph McDonald wrote:

One idea:  Once a probe is sent, the prober's
IP# is stored in a hash (perhaps in shared memory or a mmap'd file
that all children can share) and new connections from that IP are no
longer accepted.


Better yet, set a host route for them with next hop set to 127.0.0.1.
That assumes that you don't want infected hosts talking to your host at
all.

--
Jeff Gehlbach, Concord Communications <jgehlbach () concord com>
Senior Professional Services Consultant, Atlanta
ph. 770.384.0184  fax 770.384.0183

Current thread:

Re: Worm probes, (continued)
- Re: Worm probes Hermann Wecke (Sep 18)
- Re: Worm probes Joseph McDonald (Sep 18)
  - Re: Worm probes Daniel Senie (Sep 18)
  - Re: Worm probes Iljitsch van Beijnum (Sep 18)
    - Re: Worm probes M. David Leonard (Sep 19)
    - Re: Worm probes Brett Frankenberger (Sep 19)
  - Re: Worm probes z (Sep 18)
  - Re[2]: Worm probes David Ulevitch (Sep 18)
    - Re: Re[2]: Worm probes Nick Thompson (Sep 18)
    - Re: Re[2]: Worm probes Rafi Sadowsky (Sep 18)
  - Re: Worm probes Jeff Gehlbach (Sep 18)
- RE: Worm probes Don Lundquist (Sep 18)
- RE: Worm probes Smith, Rick (Sep 18)
  - Re: Worm probes Ulf Zimmermann (Sep 18)
    - Re: Worm probes Jared Mauch (Sep 18)
    - Re: Worm probes sigma (Sep 18)
- RE: Worm probes Los, Ralph (Sep 18)
- FW: Worm probes Braun, Mike (Sep 18)
  - Re: FW: Worm probes Rob Evans (Sep 18)
  - Re: FW: Worm probes Jim Olsen (Sep 18)
- RE: Worm probes Roeland Meyer (Sep 18)

(Thread continues...)