On Wed, 20 Aug 2003, Christopher Sawtell wrote: > Hi folks, > > For those of us who are running web servers on port 80 there is > some sort of worm doing it's thing out there at the moment. > > I am currently getting 'hundreds' of http requests to "GET / > HTTP/1.1" at the rate of two or three per minute from all over the > world.
I've seen an increase, but not to that extent. Seem to come in bursts of 3 or 4 over 5 minutes (just saw a burst of 9 over 5 minutes while finishing this email), then nothing for a while. What I have seen is a huge increase in ARP traffic (I'm on cable). It's at least 20kbit/s! Usually it's around the noise level, but it's quite visible on my MRTG graphs now. From midnight until 5am this morning there were over 1million requests (about 55/sec?). So I'm guessing that either they have reduced (disabled) the ARP cache on the cable headend router thingy or there's a lot of scanning going on from the Net, or both. If anyone wants a list of who was asking for what I've got a 55meg file of them (compresses down to 6meg) I have discovered that it doesn't seem to count towards my bandwidth/speed restrictions though (ie max speed now is 20kbit/s+ greater than the speed plan I'm on). So it's just annoying more than anything. A while ago the gateway router thingy went down, I still had a connection but default route wasn't responding. The ARP traffic then was over 80kbit/s from all these machines trying to find the router. The traffic now is the 20x.xx.xx.1 machine trying to find the clients. Andrew Gordon -- http://hhs.gordons.gen.nz/ Uptime: 242:16:09 (Days:Hours:Minutes) 0.73, 1.45, 1.12 Loadavg 130 Tasks loaded, 2 in Running State
