Subj : Apache 1.3.22 up but?
To   : Mike Luther
From : mark lewis
Date : Sat Nov 03 2001 04:28 am

[picking up from last message]

ML>> right?

ml>> yes, pretty much... i think i'd trap on
ml>> "/path/root.exe" and each of the others... in
ml>> otherwords, just shorten it enough to get just that
ml>> stuff without having to parse too much... it really
ml>> should be enough to let apache handle it but it is
ml>> possible that one may see 1000+ hits per second from
ml>> NIMDAs all over the first two ip octets you're in...

ML> I think I know enough to begin writing here...  Trying to
ML> triage all this into what is most proactical (I'll leave you
ML> to figure out about four terrible pun relationships in that
ML> coineed word!) at this point!

hehehe, yes, i know what you mean but i'm not sure i got the puns <<GG>>

as far as the nimda attack stuff, see my next message... it is the CERT
advisory on NIMDA... this does not include the new NIMDA.E variant that is
using two additional attack URL "vectors"...

ml>> yes, that should work... hopefully ijfire won't get
ml>> bogged down trying to handle the possible high numbers
ml>> of hits or even get taken out, itself...

ML> I've read into that this can happen but hav no information on
ML> what the chances are based on this level of attack rates.

i believe that it is (even) possible for a router or firewall to become a
bottleneck if they are using a lot of filters and/or having to filter a lot of
traffic... imagine 10 NIMDA infected machines in the same 192.168.xx.xx address
range as you are... those machine fire off their 16 URL requests at the same
time... that's 160 requests at once that your machine will have to handle...
now, say that each NIMDA'd machine also hits you with each request 500 times...
now we're looking at 80000 hits that something has to handle... on my stuff
here, i've seen 500 hits logged over a few minutes (ie: one or two IIRC)...
that can be a major amount of traffic for something to have to work with...

ml>> ok... i'll add that address to my abuse addresses list... don't know
ml>> that i'll need it unless i get hit from there during
ml>> one/some of the random ip number generation attacks
ml>> that nimda uses... in many cases, i've been able to
ml>> hop over to one of the windows boxes, here, and smack
ml>> that attacking machine right off the entire network...

ML> How delicate!

hehe, the first time i did it and it worked as was described to me, i was
extatic<sp?>... after that, it became almost routine... do this, do that, open
this, drag that over here and drop it over there, send the signal, watch the
machine disappear from the 'net... after doing that some 100+ times, it's
become almost rote and burnout boring... the problem that "we" face now is that
many of those NIMDA'd boxes have had windows security settings adjusted such
that one doesn't have security rights to access some of the needed items to be
able to get in and shut the machine down... but the box is still infected and
attacking... and when one is dealing with dialups and, i guess, cable/dsl
feeds, it can become quite a chore for anyone to figure out what box is
infected... the number of systems that have frontpage installed and
subsequently personal web server or IIS and the users don't even know is
abominal... such is the life that m$ wants to create... a world of sheeple...
hummm, that sounds almost talibanish...

['nother trim for length <<GG>>]

)\/(ark


* Origin: (1:3634/12)

You are viewing proxied material from cvs.synchro.net. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.