-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
This probably isn't the right place to be answering, so sorry for
being off topic.
We are using Cisco CS-800's (formely Arrowpoint) with a content rule
to block any default.ida's. the requests never even get through to
the server. I don't know if any cisco routers do layer 5 rules
though.
The other option would be to set up a snort rule, and have it add
iptables rules, but with (last figure I heard) 8000 hosts infected,
that's gonna make a lot of rules.
Theo
Theo Zourzouvillys
Internet Consultant
+ Notnet Consultancy [ www.notnet.co.uk ]
- Specialising in Unix security, ISP Start-up and regeneration,
- MySQL solutions, E-commerce, and Load balancing.
+ Notnet.co.uk - Quality web hosting at an affordable price
-
http://www.notnet.co.uk/ + theo@crazygreek.co.uk
- -----Original Message-----
From: netfilter-admin@lists.samba.org
[mailto:netfilter-admin@lists.samba.org] On Behalf Of Advanced
Hosting UNIX Admin Daniel Fairchild
Sent: 07 August 2001 13:52
To: snort-users@lists.sourceforge.net; netfilter@lists.samba.org;
bridge@math.leidenuniv.nl
Subject: Cod Red HELP!!!!
Hello TIA
we are having issues with code red on our unix servers we have 508
IPs per
server and the Code Red scanning is acting like a Massive DDoS on our
unix
machines we are getting all these requests for default.ida and we are
trying
to figure out how to block it
does any one have any sugesstions.
TIA again
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 7.0.3 for non-commercial use <
http://www.pgp.com>
iQA/AwUBO2/qs+OPAq8KU5+mEQLpVACfa/Tte8PLuMyJi58ORYo4Vr9sq0wAniAL
srTW9+keQpUlTc/PxP2CW/g0
=8zKJ
-----END PGP SIGNATURE-----