From owner-freebsd-questions Sun Aug 5 10:59:14 2001 Delivered-To: freebsd-questions@freebsd.org Received: from mail.urx.com (mail.urx.com [63.170.19.36]) by hub.freebsd.org (Postfix) with ESMTP id C3AEA37B401 for ; Sun, 5 Aug 2001 10:59:09 -0700 (PDT) (envelope-from kstewart@urx.com) Received: from urx.com [206.159.132.160] by mail.urx.com with ESMTP (SMTPD32-6.06) id A958C0202A0; Sun, 05 Aug 2001 10:58:48 -0700 Message-ID: <3B6D8955.7B346069@urx.com> Date: Sun, 05 Aug 2001 10:58:45 -0700 From: Kent Stewart X-Mailer: Mozilla 4.77 [en] (Windows NT 5.0; U) X-Accept-Language: en,pdf MIME-Version: 1.0 To: Mike Meyer Cc: Louis LeBlanc , questions@freebsd.org Subject: Re: Attempted Buffer Overrun in via httpd? References: <15213.29533.375904.18788@guru.mired.org> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Mike Meyer wrote: > > Louis LeBlanc types: > > Of course, but for each miss, I end up with a message in my inbox > > notifying me of a 404 encountered on my site. It doesn't happen > > often, once in a while someone requests favicon.ico, which is probably > > someone trying an innocuous test to see if I am running a server and > > which one. > > favicon.ico is IE - and any browser that has picked this up as well - > asking for an icon to use for pages on your site/in that > directory. You can provide one yourself if you want; I use a beastie > for mine. I think I added the one you introduced to fbsd onto my site. > > > Anyway, that's the rub. Seems this code red isn't just a worm, it's a > > network virus, because of the traffic it's generating. If a piddly > > server like mine gets a hundred hits in the course of 6 hours, what's > > it doing to the big sites right now? And what is the effect on > > general network connectivity? Seems the whole net must be bogged > > down. I know my response times, even to freebsd.org, are down > > noticably. > > Since it picks IP addresses at random, any given IP address should see > the same number of hits. Depending on the nature of the RNG used, > some sites may be immune. Sites running on server farms with lots of > IP addresses will see the same number of hits per IP as those of us on > single sites, but the total will be proportionately greater. > > What scares me is the possibilitity of near-exponential growth of the > thing. I've put up a plot of hits/hour since it started - at about 9am > CDT - to now at . Discount the > last data point - it only includes about 15 minutes of hits. The large > jump around 9am 8/4 got me, but it seems to have peaked at 45/hour, > and fallen back to ~15/hour. I can understand the levelling out as the > population of suspect servers approaches saturation, but why is did it > drop off? Or is the spike just random noise? Your hit rate is much greater than mine. My complete list of error log messages are on http://dsl1-160.dynacom.net/code_red.html. The complete list is only 4 screens of text. I am also seeing a mutation. The first error log message was the typical one but yesterday, the second one also started showing up. [Sun Aug 5 08:31:26 2001] [error] [client 212.205.80.11] \ Client sent malformed Host header [Sun Aug 5 08:41:47 2001] [error] [client 24.2.244.206] \ File does not exist: /usr/local/www/data/default.ida Kent > > > Even connectivity to mail systems seems much slower. Is this stupid > > worm hitting mail servers too? > > Nope. > >