LISTSERV - HP3000-L Archives

HP3000-L Archives

September 2001, Week 3

HP3000-L@RAVEN.UTC.EDU

	LISTSERV Archives
	HP3000-L Home
	HP3000-L September 2001, Week 3

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Re: OT:Nimda Virus Was: Jazz Down?
From:	Bruce Toback <[log in to unmask]>
Reply To:	Bruce Toback <[log in to unmask]>
Date:	Fri, 21 Sep 2001 10:00:16 -0700
Content-Type:	text/plain
Parts/Attachments:	text/plain (54 lines)

Michael Guterman writes:

>  While maybe not all of it, a good chunk of the slowdown in
>spots can be attributed to the Nimda virus.  I've had a couple
>of customers take serious hits, and I personally had to clean
>one of our servers here although I would swear that it was
>fully patched and protected!

I have no NT servers here so that's not a problem, but...

>By checking the logs on our
>main Internet web server, we are averaging approximately
>about one attack per minute on each web site over the last
>couple of days.

Lucky dog. We're getting about one per SECOND on each site. Our ISP
reported 1.2 million on their web sites just yesterday.

>At times, our T1 speed bandwidth is sucked
>dry with the volume.

I had our ISP block inbound port 80 on every address in our address space
except for the small range on which we run actual web servers. This
helped considerably, since most probes no longer get sent down our pipe.
Note that it doesn't do any good to block the probes at your border
router, since they still take up your bandwidth even if they can't touch
your systems.

Then this morning, someone tried using our network for a DDOS attack.
Fully 2/3 of the packets coming down the wire were broadcast ping
requests. Again, while our router stopped them, it did nothing for the
bandwidth they used. I called the ISP (again) and they put the
broadcast-address filter at their end, once again freeing up our
bandwidth for Nimda packets :-(.

When we're done with the terrorist organizations, can we please just turn
the whole apparatus onto the so-called "hacker groups"?

-- Bruce

--------------------------------------------------------------------------
Bruce Toback    Tel: (602) 996-8601| My candle burns at both ends;
OPT, Inc.            (800) 858-4507| It will not last the night;
11801 N. Tatum Blvd. Ste. 142      | But ah, my foes, and oh, my friends -
Phoenix AZ 85028                   | It gives a lovely light.
btoback AT optc.com                |     -- Edna St. Vincent Millay
Mail sent to [log in to unmask] will be inspected for a
fee of US$250. Mailing to said address constitutes agreement to
pay, including collection costs.

* To join/leave the list, search archives, change list settings, *
* etc., please visit http://raven.utc.edu/archives/hp3000-l.html *

ATOM RSS1 RSS2

RAVEN.UTC.EDU