nanog mailing list archives
Re: Worm probes
From: Jeff Gehlbach <jeffg () empire com>
Date: Tue, 18 Sep 2001 13:45:44 -0400
On Tue, Sep 18, 2001 at 09:51:43AM -0700, Joseph McDonald wrote:
One idea: Once a probe is sent, the prober's IP# is stored in a hash (perhaps in shared memory or a mmap'd file that all children can share) and new connections from that IP are no longer accepted.
Better yet, set a host route for them with next hop set to 127.0.0.1. That assumes that you don't want infected hosts talking to your host at all. -- Jeff Gehlbach, Concord Communications <jgehlbach () concord com> Senior Professional Services Consultant, Atlanta ph. 770.384.0184 fax 770.384.0183
Current thread:
- Re: Worm probes, (continued)
- Re: Worm probes Hermann Wecke (Sep 18)
- Re: Worm probes Joseph McDonald (Sep 18)
- Re: Worm probes Daniel Senie (Sep 18)
- Re: Worm probes Iljitsch van Beijnum (Sep 18)
- Re: Worm probes M. David Leonard (Sep 19)
- Re: Worm probes Brett Frankenberger (Sep 19)
- Re: Worm probes z (Sep 18)
- Re[2]: Worm probes David Ulevitch (Sep 18)
- Re: Re[2]: Worm probes Nick Thompson (Sep 18)
- Re: Re[2]: Worm probes Rafi Sadowsky (Sep 18)
- Re: Worm probes Jeff Gehlbach (Sep 18)
- RE: Worm probes Don Lundquist (Sep 18)
- RE: Worm probes Smith, Rick (Sep 18)
- Re: Worm probes Ulf Zimmermann (Sep 18)
- Re: Worm probes Jared Mauch (Sep 18)
- Re: Worm probes sigma (Sep 18)
- Re: Worm probes Ulf Zimmermann (Sep 18)
- Re: FW: Worm probes Rob Evans (Sep 18)
- Re: FW: Worm probes Jim Olsen (Sep 18)