Boston Linux & Unix (BLU) Home | Calendar | Mail Lists | List Archives | Desktop SIG | Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings
Linux Cafe | Meeting Notes | Linux Links | Bling | About BLU

BLU Discuss list archive


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

codered/nimda blocking



On Tue, 6 Nov 2001, Patrick McManus wrote:

> [Derek D. Martin: Tue, Nov 06, 2001 at 12:59:18PM -0500]
>
> > It seems to me you're completely missing my point.  If my network is
> > overloaded, it doesn't matter whether it's with HTTP packets, ICMP
>
> I 'missed your point' because it is a non-sequitr from the one that
> was asked.
>
> apparently calling folks you'd never met or interacted with "stupid
> and/or lazy" didn't leave you enough time to read the actual question:

Hold on, lemme get Judge Mills Lane .... "I'll allow it!"
>
> "getting hit. Even though they are not vulnerable, the actual load
> from the Code Red/Nimda traffic is so high that it is causing
> noticeable slowdowns on those portions of our site that use those
> servers."
>
> Its a server problem. The problem is not shared on other portions of
> the site that are already filtered via load balancer. (the lb is an
> application layer solution btw.) I read the question.

OK.  Are we agreed that the problem is not the total network but the web
servers?

> and in case it still isn't clear, NBAR still lets a significant portion
> of the flow through anyhow (the syn/syn-ack/ack) which is probably 35%
> of the total data flow.. and it causes full connection tables
> that applications will hate and will result in port number exhaustion
> for the kernel.

I would like to suggest a fairly out-of-the-box solution that will
eliminate almost all of the extra load on the web servers, while not
having to deal with alledged stupid and/or lazy people.

So let's say you set up one or more firewalls (linux boxen most likely, or
Solaris boxen), to whatever degree is necessary to not slow things down
too much.

You write and install a daemon on each web server that monitors the web
error log files.  When it sees a request that looks like a virus hit, the
daemon sends the IP address to a daemon on the firewalls, which add it to
the list of IP's to be blocked on port 80.  The two daemons can talk to
the firewalls over a very simple socket client/server connection, UDP
broadcast packet, rcp, ftp'ing a file, or even email-based.

Nice and easy and scaleable.

I would probably add something to the firewall software to drop the older
IP's off the top of the list after 14 or 21 days or something, so the list
does not get too long.  If the machine is still infected, it will just get
re-blocked after the first hit.

-------------------------------------------------------------------
DDDD   David Kramer                           http://thekramers.net
DK KD
DKK D  "Before you criticize someone, you should walk a mile in
DK KD  their shoes.  That way, when you criticize them, you're a
DDDD   mile away and you have their shoes."                      ??





BLU is a member of BostonUserGroups
BLU is a member of BostonUserGroups
We also thank MIT for the use of their facilities.

Valid HTML 4.01! Valid CSS!



Boston Linux & Unix / webmaster@blu.org