Question about codered worm
David Murn
davey at vision.doa.org
Thu Aug 9 22:58:30 EST 2001
On Tue, 7 Aug 2001, Sam Couter wrote:
> > - In a sense we're paying for this traffic...
>
> But, if the connection isn't being established because of your firewall,
> you're only getting SYN packets.
We've been under attack from this virus for about the last week and have
logged 5200 SYN packets in just over 4 minutes. At 68 bytes each this is
353k. Meaning 12minutes of this attack is 1mb, or 5mb per hour. Meaning
this attack costs us $1/hr in SYN packets alone. We have suffered around
100mb of this data in the last 5 days, so cost is a very real
issue. We're fortunate to only be on a 56k modem to telstra bigpond,
which can be disconnected easily, as its not required usually, but is
still an expensive excercise.
> > - are we allowed to do smurf type attacks on offending machines to try to
> > disable thier IP stacks?
>
> Not legally (IANAL).
Maybe not legally, but maybe we have legal recourse to invoice people for
our bandwidth charges from their addresses?
> We're just ignoring it so far, mostly because we don't know that we can do
> anything about it.
I was doing that, but our gateway machine doesnt have a big enough disk to
log more than a few days worth of this attack with tcpdump, as I wouldnt
even think of logging textbased firewall logs.
Davey
More information about the linux
mailing list