From owner-freebsd-security Tue Sep 18 14:31:20 2001 Delivered-To: freebsd-security@freebsd.org Received: from peitho.fxp.org (peitho.fxp.org [209.26.95.40]) by hub.freebsd.org (Postfix) with ESMTP id 635A937B40B for ; Tue, 18 Sep 2001 14:31:16 -0700 (PDT) Received: by peitho.fxp.org (Postfix, from userid 1501) id 6DF741361D; Tue, 18 Sep 2001 17:31:15 -0400 (EDT) Date: Tue, 18 Sep 2001 17:31:15 -0400 From: Chris Faulhaber To: "Karsten W. Rohrbach" Cc: Jim Arnold , freebsd-security@freebsd.org Subject: Re: Nimda-A Worm/Virus threatens networks Message-ID: <20010918173115.A53937@peitho.fxp.org> Mail-Followup-To: Chris Faulhaber , "Karsten W. Rohrbach" , Jim Arnold , freebsd-security@freebsd.org References: <20010918195218.P27375@mail.webmonster.de> <20010918203128.B33432@mail.webmonster.de> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="6c2NcOVqGQ03X4Wi" Content-Disposition: inline In-Reply-To: <20010918203128.B33432@mail.webmonster.de> User-Agent: Mutt/1.3.20i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --6c2NcOVqGQ03X4Wi Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Sep 18, 2001 at 08:31:28PM +0200, Karsten W. Rohrbach wrote: > Jim Arnold(jim@ohio.com)@2001.09.18 14:21:50 +0000: > > i am running an apache server on linux. how do i stop it from gobbling > > all my bandwidth? i'm being hit by dozens of different servers. >=20 > you might configure your 404 error handler to spit out a very small > file (for example containing just one space character '%20'). >=20 > mod_throttle or other bandwidth control tools will not help, since the > worm hits each server it scan with a list of several uris and that's > pretty it. >=20 > if the worm catches a 404 http error it will cease scanning this > particular system. bad, that it does not honor redirect requests ;-) >=20 I tend to disagree with the next-to-last sentence. I have logged over 6600 requests from 37 unique hosts in the class B on which my box is located, each request generating a 404. These requests are pretty much generating a constant stream of log entries. While the bandwidth doesn't seem to be an issue here, and apache's CPU usage is 0.00 (server is a Pentium 166), my logs are bulging. --=20 Chris D. Faulhaber - jedgar@fxp.org - jedgar@FreeBSD.org -------------------------------------------------------- FreeBSD: The Power To Serve - http://www.FreeBSD.org --6c2NcOVqGQ03X4Wi Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: FreeBSD: The Power To Serve iEYEARECAAYFAjunvSIACgkQObaG4P6BelBOVwCfYkJ9pdVazbMl2ls5Kf8MQUSS /dsAn06qtOAvsPZmdUSdGVFpCvpwW/rz =cX/J -----END PGP SIGNATURE----- --6c2NcOVqGQ03X4Wi-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message