[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: IIS worms and apache

On Tue, 10 Aug 2004 19:38, Michelle Konzack <linux4michelle@freenet.de> wrote:
> Am 2004-08-08 15:32:51, schrieb Russell Coker:
> > On Sat, 7 Aug 2004 14:56, "Shannon R." <shannon_mtbikes@yahoo.com> wrote:
> > > Is there a debian package wherein the app recognizes
> > > IIS worm attacks? Then blocks these IPs in real time?
> >
> > Why bother?  They can't do any harm, and the bandwidth that they take is
> > usually a small portion of the total bandwidth.  Why not just ignore
> > them, it's the easiest thing to do.
> Allready tried webalyzer on a 10 MByte IIS-Worm infected LOG File...
> Forget it !!!

What was the problem?

When I was analysing 500M web logs with Webalizer I didn't have any serious 
performance problems.  I was analysing the logs three ways, for customers of 
the ISP, for outside users, and for both combined.  The machine doing the log 
analysis had a 400MHz SPARC CPU (not a fast CPU at all), and only 1G of RAM 
(which was a problem as Webalizer could use a lot of RAM at times).

Sometimes a single run would deal with 1G or 2G of log files from the web 
server.  It would take a couple of hours to process but it still wasn't a big 

> On some days I had on my Virtual WebServer @HOME (ADSL 128/1024)
> more then 50 MByte Logfiles with ISS-Worm and hash=xxx entries.

Maybe the thing to do would be to write a server that establishes the HTTP 
protocol and then sets the TCP window size to zero (to tar-pit connections).  
Such a server program could listen on every IP address that's not used for a 
real web server and tie up resources on the zombie machines without wasting 
space in log files.

http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

Reply to: