From owner-freebsd-questions Sun Aug 5 9:25: 7 2001 Delivered-To: freebsd-questions@freebsd.org Received: from guru.mired.org (okc-27-141-144.mmcable.com [24.27.141.144]) by hub.freebsd.org (Postfix) with SMTP id 2248A37B401 for ; Sun, 5 Aug 2001 09:25:02 -0700 (PDT) (envelope-from mwm@mired.org) Received: (qmail 48191 invoked by uid 100); 5 Aug 2001 16:25:01 -0000 From: Mike Meyer MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <15213.29533.375904.18788@guru.mired.org> Date: Sun, 5 Aug 2001 11:25:01 -0500 To: Louis LeBlanc Cc: questions@freebsd.org Subject: Re: Attempted Buffer Overrun in via httpd? In-Reply-To: <119049501@toto.iv> X-Mailer: VM 6.90 under 21.1 (patch 14) "Cuyahoga Valley" XEmacs Lucid X-face: "5Mnwy%?j>IIV\)A=):rjWL~NB2aH[}Yq8Z=u~vJ`"(,&SiLvbbz2W`;h9L,Yg`+vb1>RG% *h+%X^n0EZd>TM8_IB;a8F?(Fb"lw'IgCoyM.[Lg#r\ Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Louis LeBlanc types: > Of course, but for each miss, I end up with a message in my inbox > notifying me of a 404 encountered on my site. It doesn't happen > often, once in a while someone requests favicon.ico, which is probably > someone trying an innocuous test to see if I am running a server and > which one. favicon.ico is IE - and any browser that has picked this up as well - asking for an icon to use for pages on your site/in that directory. You can provide one yourself if you want; I use a beastie for mine. > Anyway, that's the rub. Seems this code red isn't just a worm, it's a > network virus, because of the traffic it's generating. If a piddly > server like mine gets a hundred hits in the course of 6 hours, what's > it doing to the big sites right now? And what is the effect on > general network connectivity? Seems the whole net must be bogged > down. I know my response times, even to freebsd.org, are down > noticably. Since it picks IP addresses at random, any given IP address should see the same number of hits. Depending on the nature of the RNG used, some sites may be immune. Sites running on server farms with lots of IP addresses will see the same number of hits per IP as those of us on single sites, but the total will be proportionately greater. What scares me is the possibilitity of near-exponential growth of the thing. I've put up a plot of hits/hour since it started - at about 9am CDT - to now at . Discount the last data point - it only includes about 15 minutes of hits. The large jump around 9am 8/4 got me, but it seems to have peaked at 45/hour, and fallen back to ~15/hour. I can understand the levelling out as the population of suspect servers approaches saturation, but why is did it drop off? Or is the spike just random noise? > Even connectivity to mail systems seems much slower. Is this stupid > worm hitting mail servers too? Nope. http://www.mired.org/home/mwm/ Independent WWW/Perforce/FreeBSD/Unix consultant, email for more information. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message