North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: Worm probes
On Tue, 18 Sep 2001, Joseph McDonald wrote: > > > spc> Has anyone else been seeing a dramatic increase in /scripts/.. NT worm > spc> probes this morning? We're seeing about 8000/second, starting around 9:15 > > Yes. We are seeing it here bigtime. Does anyone have any apache hacks > to lessen the impact? One idea: Once a probe is sent, the prober's > IP# is stored in a hash (perhaps in shared memory or a mmap'd file > that all children can share) and new connections from that IP are no > longer accepted. <--( SNIP )--> That would still allow the malicious network traffic to traverse your network. I'm not seeing more than about 60 unique hosts that are scanning ( YMMV ), so that isn't a huge hit for me ACL-wise ( again YMMV ). Your choice, let them bang on your router or your web servers. Depends on your situation. .z
|