Worm probes
Daniel Senie
dts at senie.com
Tue Sep 18 17:26:53 UTC 2001
At 12:51 PM 9/18/01, Joseph McDonald wrote:
>spc> Has anyone else been seeing a dramatic increase in /scripts/.. NT worm
>spc> probes this morning? We're seeing about 8000/second, starting around
>9:15
>
>Yes. We are seeing it here bigtime. Does anyone have any apache hacks
>to lessen the impact? One idea: Once a probe is sent, the prober's
>IP# is stored in a hash (perhaps in shared memory or a mmap'd file
>that all children can share) and new connections from that IP are no
>longer accepted.
Or better: script which causes a filter rule to be added to ipchains list,
blocking all ports.
-----------------------------------------------------------------
Daniel Senie dts at senie.com
Amaranth Networks Inc. http://www.amaranth.com
More information about the NANOG
mailing list