Date: Sun, 5 Aug 2001 11:25:01 -0500 From: Mike Meyer <mwm@mired.org> To: Louis LeBlanc <leblanc+freebsd@acadia.ne.mediaone.net> Cc: questions@freebsd.org Subject: Re: Attempted Buffer Overrun in via httpd? Message-ID: <15213.29533.375904.18788@guru.mired.org> In-Reply-To: <119049501@toto.iv>
next in thread | previous in thread | raw e-mail | index | archive | help
Louis LeBlanc <leblanc+freebsd@acadia.ne.mediaone.net> types: > Of course, but for each miss, I end up with a message in my inbox > notifying me of a 404 encountered on my site. It doesn't happen > often, once in a while someone requests favicon.ico, which is probably > someone trying an innocuous test to see if I am running a server and > which one. favicon.ico is IE - and any browser that has picked this up as well - asking for an icon to use for pages on your site/in that directory. You can provide one yourself if you want; I use a beastie for mine. > Anyway, that's the rub. Seems this code red isn't just a worm, it's a > network virus, because of the traffic it's generating. If a piddly > server like mine gets a hundred hits in the course of 6 hours, what's > it doing to the big sites right now? And what is the effect on > general network connectivity? Seems the whole net must be bogged > down. I know my response times, even to freebsd.org, are down > noticably. Since it picks IP addresses at random, any given IP address should see the same number of hits. Depending on the nature of the RNG used, some sites may be immune. Sites running on server farms with lots of IP addresses will see the same number of hits per IP as those of us on single sites, but the total will be proportionately greater. What scares me is the possibilitity of near-exponential growth of the thing. I've put up a plot of hits/hour since it started - at about 9am CDT - to now at <URL: http://www.mired.org/codered.ps >. Discount the last data point - it only includes about 15 minutes of hits. The large jump around 9am 8/4 got me, but it seems to have peaked at 45/hour, and fallen back to ~15/hour. I can understand the levelling out as the population of suspect servers approaches saturation, but why is did it drop off? Or is the spike just random noise? > Even connectivity to mail systems seems much slower. Is this stupid > worm hitting mail servers too? Nope. <mike -- Mike Meyer <mwm@mired.org> http://www.mired.org/home/mwm/ Independent WWW/Perforce/FreeBSD/Unix consultant, email for more information. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?15213.29533.375904.18788>