Subj : Apache 1.3.22 up but? To : Mike Luther From : mark lewis Date : Sat Nov 03 2001 05:28 am [picking up from last message] ML>> right? ml>> yes, pretty much... i think i'd trap on ml>> "/path/root.exe" and each of the others... in ml>> otherwords, just shorten it enough to get just that ml>> stuff without having to parse too much... it really ml>> should be enough to let apache handle it but it is ml>> possible that one may see 1000+ hits per second from ml>> NIMDAs all over the first two ip octets you're in... ML> I think I know enough to begin writing here... Trying to ML> triage all this into what is most proactical (I'll leave you ML> to figure out about four terrible pun relationships in that ML> coineed word!) at this point! hehehe, yes, i know what you mean but i'm not sure i got the puns <> as far as the nimda attack stuff, see my next message... it is the CERT advisory on NIMDA... this does not include the new NIMDA.E variant that is using two additional attack URL "vectors"... ml>> yes, that should work... hopefully ijfire won't get ml>> bogged down trying to handle the possible high numbers ml>> of hits or even get taken out, itself... ML> I've read into that this can happen but hav no information on ML> what the chances are based on this level of attack rates. i believe that it is (even) possible for a router or firewall to become a bottleneck if they are using a lot of filters and/or having to filter a lot of traffic... imagine 10 NIMDA infected machines in the same 192.168.xx.xx address range as you are... those machine fire off their 16 URL requests at the same time... that's 160 requests at once that your machine will have to handle... now, say that each NIMDA'd machine also hits you with each request 500 times... now we're looking at 80000 hits that something has to handle... on my stuff here, i've seen 500 hits logged over a few minutes (ie: one or two IIRC)... that can be a major amount of traffic for something to have to work with... ml>> ok... i'll add that address to my abuse addresses list... don't know ml>> that i'll need it unless i get hit from there during ml>> one/some of the random ip number generation attacks ml>> that nimda uses... in many cases, i've been able to ml>> hop over to one of the windows boxes, here, and smack ml>> that attacking machine right off the entire network... ML> How delicate! hehe, the first time i did it and it worked as was described to me, i was extatic... after that, it became almost routine... do this, do that, open this, drag that over here and drop it over there, send the signal, watch the machine disappear from the 'net... after doing that some 100+ times, it's become almost rote and burnout boring... the problem that "we" face now is that many of those NIMDA'd boxes have had windows security settings adjusted such that one doesn't have security rights to access some of the needed items to be able to get in and shut the machine down... but the box is still infected and attacking... and when one is dealing with dialups and, i guess, cable/dsl feeds, it can become quite a chore for anyone to figure out what box is infected... the number of systems that have frontpage installed and subsequently personal web server or IIS and the users don't even know is abominal... such is the life that m$ wants to create... a world of sheeple... hummm, that sounds almost talibanish... ['nother trim for length <>] )\/(ark * Origin: (1:3634/12) .