Worm probes

z at s0be.net z at s0be.net
Tue Sep 18 17:31:35 UTC 2001




On Tue, 18 Sep 2001, Joseph McDonald wrote:

>
>
> spc> Has anyone else been seeing a dramatic increase in /scripts/.. NT worm
> spc> probes this morning?  We're seeing about 8000/second, starting around 9:15
>
> Yes. We are seeing it here bigtime.  Does anyone have any apache hacks
> to lessen the impact?  One idea:  Once a probe is sent, the prober's
> IP# is stored in a hash (perhaps in shared memory or a mmap'd file
> that all children can share) and new connections from that IP are no
> longer accepted.


<--( SNIP )-->


  That would still allow the malicious network traffic to traverse your
network.

  I'm not seeing more than about 60 unique hosts that are scanning ( YMMV
), so that isn't a huge hit for me ACL-wise ( again YMMV ).   Your choice,
let them bang on your router or your web servers.   Depends on your
situation.

.z





More information about the NANOG mailing list