[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-users] blocking Code Red attempts? RaQ3
- Subject: Re: [cobalt-users] blocking Code Red attempts? RaQ3
- From: flash22@xxxxxxx
- Date: Thu Oct 4 16:16:08 2001
- List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>
On Wed, 3 Oct 2001, FantasticMoms.com wrote:
> Hi guys,
>
> I seem to be getting hit with Code Red Worm attacks quite a few times from
> the same Ip address. The address block virtually always begins with 66.51,
> and seems to only be 4 or 5 different addresses.
>
> Is there a way I can prevent this from reaching my server, as it is filling
> up my log files with spurious entries. I am hit with this thousands of
> times per month.
>
> I really don't want to block a whole section of the population though, so
> what's the safest way of doing this?
I'd just wait a bit. Poking about in the arin database, it looks like most
of what is in this block is web hosting, so blocking it probably wouldn't
bother too many casual browsers....(I sometimes block email from these
types of blocks to control spam - I'm not saying anything more than that
=)
Having said that, traceroutes anywhere in that block seem to have nul
routes immediatly after hitting alternet ,sprint,and it drops partway via
bbn, so i think whoever is in that block already ticked off someone ;-/
(Probably by not fixing their broken servers ;)
The block is entirely in the US tho, so the contact addresses are probably
valid if you want to gripe to someone ;)
If you must, simplest, non permenant way to block it is
/sbin/route add -net 66.51.0.0 netmask 255.255.0.0 reject
[Will block 65535 contiguous IP addresses, plus or minus a few;0 ]
You can get fancier, but i doubt there's much point as it's just normal
connect attempts.....reject will send back 'connection refused' , which is
appropriate....
Alternatly you can block specific IP's but this seems to be a waste of
time, in a case like this there's probab;y a room full of servers slowly
giving each other the stupid worm....by the time you block one address, 2
other machines just got it and start pestering you....
ps: I know one isp that after several hours, just yanked the power to a
whole wall of [nt] servers, this thing is a nuisance -/
gsh