Date: Wed, 19 Sep 2001 01:52:50 +0400 (MSD) From: Maxim Kozin <madmax@express.ru> To: freebsd-security@freebsd.org Subject: Re: Nimda-A Worm/Virus threatens networks Message-ID: <Pine.BSF.4.05.10109190135160.99213-100000@ds.express.ru> In-Reply-To: <20010918173115.A53937@peitho.fxp.org>
next in thread | previous in thread | raw e-mail | index | archive | help
> > > i am running an apache server on linux. how do i stop it from gobbling > > > all my bandwidth? i'm being hit by dozens of different servers. > > > > you might configure your 404 error handler to spit out a very small > > file (for example containing just one space character '%20'). > > > > mod_throttle or other bandwidth control tools will not help, since the > > worm hits each server it scan with a list of several uris and that's > > pretty it. > > > I tend to disagree with the next-to-last sentence. I have logged > over 6600 requests from 37 unique hosts in the class B on which > my box is located, each request generating a 404. These requests > are pretty much generating a constant stream of log entries. > While the bandwidth doesn't seem to be an issue here, and apache's > CPU usage is 0.00 (server is a Pentium 166), my logs are bulging. Hi. I use mod_bwshare on all hosting host. Each host carried from 300 to 800 alias(and corresponding virtualbasediphost) on loopback interface. mod_bwshare get statistic based on client ip. I detected peak on each host, then check manualy netstat -an | grep leader_ip If it not robot's engine, then leader_ip has not maximium in my_side_ip_distibution. Example for some index robot: netstat -an | grep tcp4 | grep leader_ip | cut -c22- | cut -d"." -f-4 | sort -n | uniq 100 aa.bb.cc.dd It's show, that leader_ip indexed(or flooded ? :) host aa.bb.cc.dd But now, from 17h53m on MSK time (+04) distribution changed: 1 a.b.c.d 1 w.e.r.t 2 x.d.f.r and practicaly all interface on current host. After this I set on border router 5-10 deny ipfw rule for blocking host and network. Now I have collection, that dramaticaly reduce load on all hosting servers: ipfw add 01 deny tcp from 212.24.188.206 to any ipfw add 03 deny tcp from 212.66.73.2 to any ipfw add 04 deny tcp from 212.24.0.0/19 to any ipfw add 06 deny tcp from 212.24.193.185 to any After 7hr, in 1h00m MSK time (+04) I check counter on this rule. Counter roll and roll, temporaly deleted rule get result, that host server slow down and rule was be set again. IMHO some kind of dynamic firewall solve problem. May be mod_bwshare and "perl automatic"+ipfw solved problem too. b.r. Kozin Maxim To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.05.10109190135160.99213-100000>