Re: IIS worms and apache
On Tue, 10 Aug 2004 19:38, Michelle Konzack <linux4michelle@freenet.de> wrote:
> Am 2004-08-08 15:32:51, schrieb Russell Coker:
> > On Sat, 7 Aug 2004 14:56, "Shannon R." <shannon_mtbikes@yahoo.com> wrote:
> > > Is there a debian package wherein the app recognizes
> > > IIS worm attacks? Then blocks these IPs in real time?
> >
> > Why bother? They can't do any harm, and the bandwidth that they take is
> > usually a small portion of the total bandwidth. Why not just ignore
> > them, it's the easiest thing to do.
>
> Allready tried webalyzer on a 10 MByte IIS-Worm infected LOG File...
>
> Forget it !!!
What was the problem?
When I was analysing 500M web logs with Webalizer I didn't have any serious
performance problems. I was analysing the logs three ways, for customers of
the ISP, for outside users, and for both combined. The machine doing the log
analysis had a 400MHz SPARC CPU (not a fast CPU at all), and only 1G of RAM
(which was a problem as Webalizer could use a lot of RAM at times).
Sometimes a single run would deal with 1G or 2G of log files from the web
server. It would take a couple of hours to process but it still wasn't a big
deal.
> On some days I had on my Virtual WebServer @HOME (ADSL 128/1024)
> more then 50 MByte Logfiles with ISS-Worm and hash=xxx entries.
Maybe the thing to do would be to write a server that establishes the HTTP
protocol and then sets the TCP window size to zero (to tar-pit connections).
Such a server program could listen on every IP address that's not used for a
real web server and tie up resources on the zombie machines without wasting
space in log files.
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page
Reply to: