At 11:45 +1200 11/8/03, Mark Henderson wrote:
it's been established that the reason for all the miscellaneous xxx's in our server logfiles are code red attacks on default.ida. However, security on the server is well up to date, and there are no virus infections. The problem is the attacks keep coming from random IPs, and are consistently screwing up the traffic reports on each of the hosted domains. Is there any solution to this problem, or is it too late? Without traffic figures on each of these domains, I cannot give an accurate report to the billing department for charging. All help greatly appreciated.
You've already received some good filter rules for removing the Code Red-like attacks from your traffic reports. But here's a thought that's a little off-topic 'cos it's not actually about how Analog is configured, but about your business process...
As I see it, there's no real difference between a "bad request" that's the result of a Code Red attack and a "bad request" that's caused by someone mis-typing a URL and generating a 404 error. Both of them are requests for pages that don't exist, but which still result in a small amount of data being transferred back to the client in the form of an error message. The difference is purely one of intent in the client side, and that's really not your problem.
Are your hosting clients only paying for "good requests"?
Any website will get a small proportion of bad requests, through user error, deliberate attack and so on. Consider this a cost of doing business online, in the same way that someone in a manufacturing industry would have to deal with the cost of faulty manufacturing, "shrinkage" (theft) and so on.
Personally, I'd put the question back to your billing department or up the line to management, because this is a business decision not a technical one. You've got one of two scenarios to choose from:
* The hosting clients pay for all the data transferred through their
domains, whether the result a "good request" or a "bad request". * The hosting clients only pay for the data transferred as the result
of "good requests". The cost of data transfers resulting from "bad
requests" are borne by your company as an overhead of doing business.I'd recommend the first scenario. It avoids even getting into the issue of what constitutes "good" and "bad" requests. And it saves your time in having to maintain a set of filter rules to remove each kind of attack signature as its recognized. It makes everything a LOT simpler.
Plus I like the idea of the clients being aware of the fact that their website *is* continually under attack from random IP addresses. It helps reinforce the fact that they need to think about the security of their data. Filtering out those messages could lead to complacency.
Well, that's my opinion, anyway...
Stil
-- Stilgherrian <[EMAIL PROTECTED]> Internet, IT and Media Consulting, Sydney, Australia. ABN 25 231 641 421 mobile 0407 623 600 (international +61 407 623 600) fax 02 9516 5630 (international +61 2 9516 5630) +------------------------------------------------------------------------ | TO UNSUBSCRIBE from this list: | http://lists.isite.net/listgate/analog-help/unsubscribe.html | | Digest version: http://lists.isite.net/listgate/analog-help-digest/ | Usenet version: news://news.gmane.org/gmane.comp.web.analog.general | List archives: http://www.analog.cx/docs/mailing.html#listarchives +------------------------------------------------------------------------
