Worm probes

• Previous message (by thread): Worm probes
• Next message (by thread): Worm probes
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, Sep 18, 2001 at 09:51:43AM -0700, Joseph McDonald wrote:
> One idea:  Once a probe is sent, the prober's
> IP# is stored in a hash (perhaps in shared memory or a mmap'd file
> that all children can share) and new connections from that IP are no
> longer accepted.

Better yet, set a host route for them with next hop set to 127.0.0.1.
That assumes that you don't want infected hosts talking to your host at
all.

--
Jeff Gehlbach, Concord Communications <jgehlbach at concord.com>
Senior Professional Services Consultant, Atlanta
ph. 770.384.0184  fax 770.384.0183

• Previous message (by thread): Worm probes
• Next message (by thread): Worm probes
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]