Wayne E. Bouchard [2/19/2004 6:16 AM] :
Easy enough to fend off except for the TCP 80 bit. For most of these attacks, I've taken to just filtering the entire LACNIC and APNIC address delegations at the host level for the durration of the incident since, in the general case, my customers (the ones that suffer these incidents) do little if any business in that region.
May I suggest extending your ACLs to filter 0/0?
I have seen quite a lot of this from ARIN (mostly cablemodem land, 24/8) as well as RIPE space (again cablemodem land -> trojaned zombies?)
srs
-- srs (postmaster|suresh)@outblaze.com // gpg : EDEDEFB9 manager, outblaze.com security and antispam operations
