Willem Jan Withagen wrote:
[ I guess I haven't been paying too much attention during ipwf class :(
And I got the suggestion to try FreeBSD-net@ instead of security. But
I'm not subscribed to this list, so please Cc: me.
]
Hi,
perhaps somebody could give some pointers.
I received a call from a customer this morning that all of his
websites were
no longer on line. So After some resetting and more I turnout that
there was a
serious overload on his server. Over 500 clients connected. (norm is
50) and
they were all trying to get this file 777.gif. (Which is not on any of
the sites).
After reducing the max servers to a 100, the sites are now more or
less up.
Then I created a swatch script to actually block the offenders thru ipwl.
(Which was already used to do most of the protection).
It is already a solution, because they keep trying it multiple times.
But it turns out that the generic name of the server is in a new virus
on a
list of server to get a file from. And it's on high place in that list.
So I can confirm that there are at least 35.000 pc's infected with this
Bagle.FY virus. And these are now all in the block list in IPFW.
I hope you are using an ipfw table to do this..
I contacted the maintainer for the generic FQDN name of the server to
reset
the IP-number for that name to 127.0.0.1 but that'll take another 24
hours to
propagate thru the whole of the internet.
Now I'm pretty shure that ipfw does not stretch indefinitely to contain
perhaps something like 100.000 ip-numbers (would be a nice test. :) )
So I'd
like to see if there is something to do with divert and some matching
on a
string in the packet to drop those packets.
That would prevent me from having humongous set of rules in ipfw.
use ipfw tables
one table lookup would do the job
that's one rule
Or any other suggestion that would make sense.
Thanx,
--WjW
_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[EMAIL PROTECTED]"