On Tue, 10 Aug 2004 19:38, Michelle Konzack <[EMAIL PROTECTED]> wrote: > Am 2004-08-08 15:32:51, schrieb Russell Coker: > > On Sat, 7 Aug 2004 14:56, "Shannon R." <[EMAIL PROTECTED]> wrote: > > > Is there a debian package wherein the app recognizes > > > IIS worm attacks? Then blocks these IPs in real time? > > > > Why bother? They can't do any harm, and the bandwidth that they take is > > usually a small portion of the total bandwidth. Why not just ignore > > them, it's the easiest thing to do. > > Allready tried webalyzer on a 10 MByte IIS-Worm infected LOG File... > > Forget it !!!
What was the problem? When I was analysing 500M web logs with Webalizer I didn't have any serious performance problems. I was analysing the logs three ways, for customers of the ISP, for outside users, and for both combined. The machine doing the log analysis had a 400MHz SPARC CPU (not a fast CPU at all), and only 1G of RAM (which was a problem as Webalizer could use a lot of RAM at times). Sometimes a single run would deal with 1G or 2G of log files from the web server. It would take a couple of hours to process but it still wasn't a big deal. > On some days I had on my Virtual WebServer @HOME (ADSL 128/1024) > more then 50 MByte Logfiles with ISS-Worm and hash=xxx entries. Maybe the thing to do would be to write a server that establishes the HTTP protocol and then sets the TCP window size to zero (to tar-pit connections). Such a server program could listen on every IP address that's not used for a real web server and tie up resources on the zombie machines without wasting space in log files. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
