Home page logo

nanog logo nanog mailing list archives

Re: Worm probes
From: Daniel Senie <dts () senie com>
Date: Tue, 18 Sep 2001 13:26:53 -0400

At 12:51 PM 9/18/01, Joseph McDonald wrote:

spc> Has anyone else been seeing a dramatic increase in /scripts/.. NT worm
spc> probes this morning? We're seeing about 8000/second, starting around 9:15

Yes. We are seeing it here bigtime.  Does anyone have any apache hacks
to lessen the impact?  One idea:  Once a probe is sent, the prober's
IP# is stored in a hash (perhaps in shared memory or a mmap'd file
that all children can share) and new connections from that IP are no
longer accepted.

Or better: script which causes a filter rule to be added to ipchains list, blocking all ports.
Daniel Senie                                        dts () senie com
Amaranth Networks Inc.                    http://www.amaranth.com

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]