Home page logo
/

nanog logo nanog mailing list archives

Re: Worm Probes
From: Roeland Meyer <rmeyer () mhsc com>
Date: Tue, 18 Sep 2001 10:04:34 -0700


The damned thing continues to burn bandwidth here. My IIS systems were
patched long ago and my Apache servers are inherently immune. But, that does
not prevent vulnerability scans and it's those scans that are burning the
pipe. Firewalling the scans sort of blocks those services too. So, that
isn't the answer.

Fortunately, I have long been a fan of having really huge boxen sip their
internet through straws (any single box can saturate the uplink (100baseTX),
at <50% CPU utilization and the WAN:LAN link never exceeds 1:10. So, my
servers are  just loafing. Still, this comes real close to being a DDOS
attack because the WAN port is showing almost 40% usage from scans right
now. I'm real glad that I have another set of zone servers, piggy-backed in
AboveNet.

Has anyone made any progress towards locating origination of these worms?
They seem to be steadily mutating. This means that a/some programmer(s)
is/are behind this somewhere. I'm sure that I'm not the only one that wants
to know.

--
R O E L A N D  M J  M E Y E R
Managing Director
Morgan Hill Software Company
tel: +1 925 373 3954
cel: +1 925 352 3615
fax: +1 925 373 9781 
http://www.mhsc.com


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]