Has any one else noticed a big drop of traffic related to this. my stats for this week have been so far (pretty low.. but as i only have 2 world viewable port 80's) Monday : 37 (ids was playing up so only partial records) Tuesday : 599 Wednesyday : 511 Today (from 8am) : nill I am just wondering is this the norm.. or I am just lucky. (or has AoL started filting this now?) Cheers, Brodie --------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog
442969 since 9am this morning here.. :) *pats his Alteon Layer 4 switch* -- Steve. At 10:26 9/08/2001, Brodie Davis wrote:
Has any one else noticed a big drop of traffic related to this.
my stats for this week have been so far (pretty low.. but as i only have 2 world viewable port 80's)
Monday : 37 (ids was playing up so only partial records) Tuesday : 599 Wednesyday : 511 Today (from 8am) : nill
I am just wondering is this the norm.. or I am just lucky. (or has AoL started filting this now?)
Cheers,
Brodie
--------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog
-- Steve Phillips, Systems Admin, Asia Online NZ Ltd --------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog
we've also seen a resonable reduction today, only 20000 packets every 10 minutes compared to 40000 yesterday and 65000 the 2 days prior
-----Original Message----- From: Steve Phillips [mailto:steve(a)nz.asiaonline.net] Sent: Thursday, 9 August 2001 10:31 AM To: Brodie Davis; nznog(a)list.waikato.ac.nz Subject: Re: Code Red errata
442969 since 9am this morning here.. :)
*pats his Alteon Layer 4 switch*
-- Steve.
At 10:26 9/08/2001, Brodie Davis wrote:
Has any one else noticed a big drop of traffic related to this.
my stats for this week have been so far (pretty low.. but as i only have 2 world viewable port 80's)
Monday : 37 (ids was playing up so only partial records) Tuesday : 599 Wednesyday : 511 Today (from 8am) : nill
I am just wondering is this the norm.. or I am just lucky. (or has AoL started filting this now?)
Cheers,
Brodie
--------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog
-- Steve Phillips, Systems Admin, Asia Online NZ Ltd
--------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog The information contained in this email message may be confidential. If you are not the intended recipient, any use, distribution, disclosure or copying of this information is prohibited. If you receive this email in error, please tell us by return email and delete it and any attachments from your system.
--------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog
On Thu, 9 Aug 2001, Philip Beckmann wrote:
we've also seen a resonable reduction today, only 20000 packets every 10 minutes compared to 40000 yesterday and 65000 the 2 days prior
My pathetic two IP address have fielded some 39 attempts since 8am - 227 so far today - seems to still be roughly on track for the rate I have received over that last two days. -- Dylan Reeve - dylan(a)wibble.net "Um, yeah." --------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog
2 people (including me) had a custom program going to log this attacks on
different networks and to email the person responsible for the machines
involved with an email telling time/ip etc of the attacks and how to fix it
I had at least 10000 unique IP addresses infected attacking me on 2C Classes
(About ~1M hits from 1 day) and an email went to alot of them ._ALOT_ of
people thanked me for letting them know they where infected and said they
would fix them.
Thanks
Craig Whitmore
Orcon Internet
http://www.orcon.net.nz
----- Original Message -----
From: "Philip Beckmann"
we've also seen a resonable reduction today, only 20000 packets every 10 minutes compared to 40000 yesterday and 65000 the 2 days prior
-----Original Message----- From: Steve Phillips [mailto:steve(a)nz.asiaonline.net] Sent: Thursday, 9 August 2001 10:31 AM To: Brodie Davis; nznog(a)list.waikato.ac.nz Subject: Re: Code Red errata
442969 since 9am this morning here.. :)
*pats his Alteon Layer 4 switch*
-- Steve.
At 10:26 9/08/2001, Brodie Davis wrote:
Has any one else noticed a big drop of traffic related to this.
my stats for this week have been so far (pretty low.. but as i only have 2 world viewable port 80's)
Monday : 37 (ids was playing up so only partial records) Tuesday : 599 Wednesyday : 511 Today (from 8am) : nill
I am just wondering is this the norm.. or I am just lucky. (or has AoL started filting this now?)
Cheers,
Brodie
--------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog
-- Steve Phillips, Systems Admin, Asia Online NZ Ltd
--------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog The information contained in this email message may be confidential. If you are not the intended recipient, any use, distribution, disclosure or copying of this information is prohibited. If you receive this email in error, please tell us by return email and delete it and any attachments from your system.
--------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog
--------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog
At 10:31 9/08/2001, Steve Phillips wrote:
442969 since 9am this morning here.. :)
*pats his Alteon Layer 4 switch*
Ok, to expound a little here, I am using the content matching features of the Alteon AD4 to redirect any incoming GET request that has the string "default.ida" in it - this is possible as any traffic coming in internationally comes in through the switch at some point before it hits the customer network. Yesterday I had around 3,000,000 hits over a 12 hour period, the requests are all being redirected to a linux box which is being used to log and check that things are all working ok still (i check occasionally to ensure that there are no valid requests to default.ida) For some reason yesterday there was still some leakage but since this morning its been reasonably tight as far as any requests getting through. I am currently only redirecting for our 210.48.0.0/17 and 210.185.0.0/19 but am hoping to increase this to cover all our ranges at a later point, the reason for this is that the linux box capturing the redirects started to croak a little with 1000+ requests per second :) Also, the filter will only protect against requests coming in internationally - stuff across APE will bypass the Alteon and arrive directly to the end user's server. If I had a couple more AD4's then this wouldnt be the case :) -- Steve. --------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog
Hi Steve, On Thu, 9 Aug 2001, you wrote:
Ok, to expound a little here, I am using the content matching features of the Alteon AD4 to redirect any incoming GET request that has the string "default.ida" in it - this is possible as any traffic coming in internationally comes in through the switch at some point before it hits the customer network.
Is it possible to filter on part of the shell code payload? At least one CR variant doesn't request default.ida - rendering it useless (I assume), but that should let you see those hits, and allow genuine default.ida requests through... Best regards, James McGlinn Consultant Entertainz * NZ Web Hosting Solutions http://www.entertainz.co.nz/ --------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog
Steve Phillips
Ok, to expound a little here, I am using the content matching features of the Alteon AD4 to redirect any incoming GET request that has the string "default.ida" in it - this is possible as any traffic coming in internationally comes in through the switch at some point before it hits the customer network.
So who else is doing this? Until 10am my box, here in Paradise-land, was logging a moderately consistent 5-15 requests an hour. Since then, I've seen just one (from an Indian address). -- don --------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog
http://www.nzherald.co.nz/storyprint.cfm?storyID=205974 is NZ$4.7 Billion accurate?! I am somehow glad im not on a cable connection in the USA... Mark. --------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog
If it is printed in the NZ Herald then it MUST be accurate. -----Original Message----- From: owner-nznog(a)list.waikato.ac.nz [mailto:owner-nznog(a)list.waikato.ac.nz]On Behalf Of Mark Foster Sent: Thursday, August 09, 2001 11:49 AM To: nznog(a)list.waikato.ac.nz Subject: Dollar Figures http://www.nzherald.co.nz/storyprint.cfm?storyID=205974 is NZ$4.7 Billion accurate?! I am somehow glad im not on a cable connection in the USA... Mark. --------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog --------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog
At 11:25 9/08/2001, Don Stokes wrote:
Steve Phillips
wrote: Ok, to expound a little here, I am using the content matching features of the Alteon AD4 to redirect any incoming GET request that has the string "default.ida" in it - this is possible as any traffic coming in internationally comes in through the switch at some point before it hits the customer network.
So who else is doing this? Until 10am my box, here in Paradise-land, was logging a moderately consistent 5-15 requests an hour. Since then, I've seen just one (from an Indian address).
Whats even more interesting, put the filter in reverse and catch your customers that are infected <grin> we are now busy contacting them all :) -- Steve Systems Admin, Asia Online (NZ) --------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog
participants (9)
-
Brodie Davis
-
Craig Whitmore
-
David Fox
-
Don Stokes
-
Dylan Reeve
-
James McGlinn
-
Mark Foster
-
Philip Beckmann
-
Steve Phillips