[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: IIS worms and apache

On Sun, Aug 08, 2004 at 03:32:51PM +1000, Russell Coker wrote:
> On Sat, 7 Aug 2004 14:56, "Shannon R." <shannon_mtbikes@yahoo.com> wrote:
> > Is there a debian package wherein the app recognizes IIS worm attacks? Then
> > blocks these IPs in real time?
> Why bother?  They can't do any harm, and the bandwidth that they take is
> usually a small portion of the total bandwidth.  Why not just ignore them,
> it's the easiest thing to do.

one reason to do it is if you have several hundred IP-based virtual hosts on
one server.  the load (including logging) from virus probes against all your IP
addresses at once is significant.

of course, it's better to just convert as many as you can to name-based virtual
hosts (i.e. all of them except https sites).  

this can take some time to co-ordinate if you don't host the DNS as well as the
web site.  do all of the sites where you host the DNS and sent notices to the
domain owners where the DNS is hosted elsewhere - don't ask them, TELL them
that the IP will be being changed in, say, one month's time, remind them again
a few days before the scheduled date, and then make the change whether they
have responded or not.

the notice you send them should tell them exactly what is going on, exactly
what they have to do, and the consequences of what will happen (i.e. their site
will be unreachable) if they don't.


craig sanders <cas@taz.net.au>

The next time you vote, remember that "Regime change begins at home"

Reply to: