From owner-freebsd-isp  Tue Sep 18 17:20:43 2001
Delivered-To: freebsd-isp@freebsd.org
Received: from mail.wanlogistics.net (mail.wanlogistics.net [63.209.114.3])
	by hub.freebsd.org (Postfix) with ESMTP id 40F4A37B416
	for <freebsd-isp@FreeBSD.ORG>; Tue, 18 Sep 2001 17:20:40 -0700 (PDT)
Received: from bilver.wjv.com (spdsl-033.wanlogistics.net [63.209.115.33])
	by mail.wanlogistics.net (8.9.3/8.9.3) with ESMTP id UAA16346;
	Tue, 18 Sep 2001 20:20:39 -0400 (EDT)
	(envelope-from bill@wjv.com)
Received: (from bill@localhost)
	by bilver.wjv.com (8.11.6/8.11.1) id f8J0K9V20001;
	Tue, 18 Sep 2001 20:20:09 -0400 (EDT)
	(envelope-from bill)
Date: Tue, 18 Sep 2001 20:20:05 -0400
From: Bill Vermillion <bill@wjv.com>
To: Eric_Stanfield@kenokozie.com
Cc: freebsd-isp@FreeBSD.ORG
Subject: Re: Code Red?!
Message-ID: <20010918202005.B19613@wjv.com>
Reply-To: bv@wjv.com
References: <OFFB70F3BC.75A1E6DC-ON86256ACB.0073FE26@kka.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <OFFB70F3BC.75A1E6DC-ON86256ACB.0073FE26@kka.com>; from Eric_Stanfield@kenokozie.com on Tue, Sep 18, 2001 at 04:17:58PM -0500
Organization: W.J.Vermillion / Orlando - Winter Park
Sender: owner-freebsd-isp@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-isp.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-isp>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-isp>
X-Loop: FreeBSD.org

On Tue, Sep 18, 2001 at 04:17:58PM -0500,
Eric_Stanfield@kenokozie.com thus sprach:

> I find it interesting that everyone I've talked to today has
> logged the initial nimda attack within 30 seconds of the time you
> listed below (after adjusting for timezones). 

I've seen an accelleration of the attack this evening [EST].

I've had log files just exploiding in size.  They are growing at
well over 500 lines per minute.  We have a small company doing
specialized work and we have our own racks in a communications
facility.  The servers have 100Mbit uplinks into the OC-192
backbone so I'm not going to be limited by pipe width, which also
means that I can't get faster too.

I've just turned off all logging for web traffic as I didn't want
to have the systems fall over for lack of drive space.

Just a reminder here to check your log files to make sure something
like this doesn't happen to you. 

Just a file guess but here the nimda traffic is probably about 5
times more than the highest CodeRed days.   I'm sure glad I have NO
MS machines that I maintain but a client has two in our racks and I
called them about 1030 this AM.  I wish them luck.


-- 
Bill Vermillion -   bv @ wjv . com

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-isp" in the body of the message