Home
| Calendar
| Mail Lists
| List Archives
| Desktop SIG
| Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings Linux Cafe | Meeting Notes | Linux Links | Bling | About BLU |
On Tue, 6 Nov 2001, Patrick McManus wrote: > [Derek D. Martin: Tue, Nov 06, 2001 at 12:59:18PM -0500] > > > It seems to me you're completely missing my point. If my network is > > overloaded, it doesn't matter whether it's with HTTP packets, ICMP > > I 'missed your point' because it is a non-sequitr from the one that > was asked. > > apparently calling folks you'd never met or interacted with "stupid > and/or lazy" didn't leave you enough time to read the actual question: Hold on, lemme get Judge Mills Lane .... "I'll allow it!" > > "getting hit. Even though they are not vulnerable, the actual load > from the Code Red/Nimda traffic is so high that it is causing > noticeable slowdowns on those portions of our site that use those > servers." > > Its a server problem. The problem is not shared on other portions of > the site that are already filtered via load balancer. (the lb is an > application layer solution btw.) I read the question. OK. Are we agreed that the problem is not the total network but the web servers? > and in case it still isn't clear, NBAR still lets a significant portion > of the flow through anyhow (the syn/syn-ack/ack) which is probably 35% > of the total data flow.. and it causes full connection tables > that applications will hate and will result in port number exhaustion > for the kernel. I would like to suggest a fairly out-of-the-box solution that will eliminate almost all of the extra load on the web servers, while not having to deal with alledged stupid and/or lazy people. So let's say you set up one or more firewalls (linux boxen most likely, or Solaris boxen), to whatever degree is necessary to not slow things down too much. You write and install a daemon on each web server that monitors the web error log files. When it sees a request that looks like a virus hit, the daemon sends the IP address to a daemon on the firewalls, which add it to the list of IP's to be blocked on port 80. The two daemons can talk to the firewalls over a very simple socket client/server connection, UDP broadcast packet, rcp, ftp'ing a file, or even email-based. Nice and easy and scaleable. I would probably add something to the firewall software to drop the older IP's off the top of the list after 14 or 21 days or something, so the list does not get too long. If the machine is still infected, it will just get re-blocked after the first hit. ------------------------------------------------------------------- DDDD David Kramer http://thekramers.net DK KD DKK D "Before you criticize someone, you should walk a mile in DK KD their shoes. That way, when you criticize them, you're a DDDD mile away and you have their shoes." ??
BLU is a member of BostonUserGroups | |
We also thank MIT for the use of their facilities. |