From owner-freebsd-security  Sun Nov  4 11:19:57 2001
Delivered-To: freebsd-security@freebsd.org
Received: from smtp.clifftop.net (machassociates-6.dsl.easynet.co.uk [217.204.162.182])
	by hub.freebsd.org (Postfix) with ESMTP id 9D5C537B418
	for <freebsd-security@FreeBSD.ORG>; Sun,  4 Nov 2001 11:19:37 -0800 (PST)
Received: from sisko (sisko.clifftop.net [192.168.1.10])
	(authenticated bits=0)
	by smtp.clifftop.net (8.12.1/8.12.1) with ESMTP id fA4JJQwp000681;
	Sun, 4 Nov 2001 19:19:30 GMT
From: "Danny Horne" <danny@clifftop.net>
To: "Ian Smith" <smithi@nimnet.asn.au>
Cc: <freebsd-security@FreeBSD.ORG>
Subject: RE: OT - Attack on Apache?
Date: Sun, 4 Nov 2001 19:20:33 -0000
Message-ID: <NFBBLHGNILAMKHLOOJGMGEKHCCAA.danny@clifftop.net>
MIME-Version: 1.0
Content-Type: text/plain;
	charset="Windows-1252"
Content-Transfer-Encoding: 7bit
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0)
X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2314.1300
In-Reply-To: <Pine.BSF.3.96.1011104041644.21955A-100000@gaia.nimnet.asn.au>
Importance: Normal
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

> -----Original Message-----
> From: owner-freebsd-security@FreeBSD.ORG
> [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Ian Smith
> Sent: Saturday 03 November 2001 5:41pm
> To: Danny Horne
> Cc: freebsd-security@FreeBSD.ORG
> Subject: Re: OT - Attack on Apache?
> 
> 408 is a Request Timeout.  'The client did not produce a request within
> the time that the server was prepared to wait.  The client MAY repeat
> the request without modifications at any later time.'
> 
> Most likely just the source box so bogged down that it can't complete
> its requests in time.  I've only seen such groups of these from Windows
> webserver IPs infected with Nimda, 'randomly' scanning our subnet with
> HTTP requests.  Only a bother, not a danger.
> 
> Note that the first octet of the IP address is the same as yours.  You
> may see as many or more of these (Nimda requests in general), over time,
> from IPs having the same first two octets as your own address.  We did,
> anyway.  Walling it off from tcp 80 access, at least until it's fixed,
> won't hurt :-)
> 
Thanks Ian, I've put a blanket ban on this IP for a while

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message