fair enough, but thru our netflow collector we find there is a large number of packets of 144bytes (apx 40,000 every 10 minutes) most of which our access-lists are dropping. We recall reading somewhere (but can't find it now to verify) that these packets were the initial probe sent prior to sending the "GET /default.ida?" query
-----Original Message----- From: Chris Wedgwood [mailto:cw(a)f00f.org] Sent: Tuesday, 7 August 2001 10:51 AM To: Philip Beckmann Cc: Barry Raveendran Greene; nznog(a)list.waikato.ac.nz; petburke(a)cisco.com; rpoll(a)cisco.com Subject: Re: Code Red - Network Impact?
On Tue, Aug 07, 2001 at 08:18:47AM +1200, Philip Beckmann wrote:
you're not alone. we've had to put access-lists in place to restrict port 80 traffic to valid machines in order to reduce router cpu utilisation load caused by large volumes of small packets (bogus queries)
Actually, bogus queries aren't that small, almost 4k (3818 bytes in the dumps I have) which is probably large than what most web-servers get on average. Not only that, they are such that they look like:
GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX ... Content-length: 3379 ^M ^M <binary payload>
which probably causes additional cycles to be burnt as web-servers don't generlly see requests like that.
--cw The information contained in this email message may be confidential. If you are not the intended recipient, any use, distribution, disclosure or copying of this information is prohibited. If you receive this email in error, please tell us by return email and delete it and any attachments from your system.
--------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog