Worm probes

• Previous message (by thread): Worm probes
• Next message (by thread): Worm probes
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

At 12:51 PM 9/18/01, Joseph McDonald wrote:


>spc> Has anyone else been seeing a dramatic increase in /scripts/.. NT worm
>spc> probes this morning?  We're seeing about 8000/second, starting around 
>9:15
>
>Yes. We are seeing it here bigtime.  Does anyone have any apache hacks
>to lessen the impact?  One idea:  Once a probe is sent, the prober's
>IP# is stored in a hash (perhaps in shared memory or a mmap'd file
>that all children can share) and new connections from that IP are no
>longer accepted.

Or better: script which causes a filter rule to be added to ipchains list, 
blocking all ports.
-----------------------------------------------------------------
Daniel Senie                                        dts at senie.com
Amaranth Networks Inc.                    http://www.amaranth.com

• Previous message (by thread): Worm probes
• Next message (by thread): Worm probes
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]