Question about codered worm

David Murn davey at
Thu Aug 9 22:58:30 EST 2001

On Tue, 7 Aug 2001, Sam Couter wrote:

> > - In a sense we're paying for this traffic...
> But, if the connection isn't being established because of your firewall,
> you're only getting SYN packets.

We've been under attack from this virus for about the last week and have
logged 5200 SYN packets in just over 4 minutes.  At 68 bytes each this is
353k.  Meaning 12minutes of this attack is 1mb, or 5mb per hour.  Meaning
this attack costs us $1/hr in SYN packets alone.  We have suffered around
100mb of this data in the last 5 days, so cost is a very real
issue.  We're fortunate to only be on a 56k modem to telstra bigpond,
which can be disconnected easily, as its not required usually, but is
still an expensive excercise.

> > - are we allowed to do smurf type attacks on offending machines to try to
> > disable thier IP stacks?
> Not legally (IANAL).

Maybe not legally, but maybe we have legal recourse to invoice people for
our bandwidth charges from their addresses?

> We're just ignoring it so far, mostly because we don't know that we can do
> anything about it.

I was doing that, but our gateway machine doesnt have a big enough disk to
log more than a few days worth of this attack with tcpdump, as I wouldnt
even think of logging textbased firewall logs.


More information about the linux mailing list