If you are fortunate enough to have a firewall running Netfilter (iptables) - you should be able to limit the number of requests per minute. It's a built in feature to avoid these sorts of retarded DOSes. Better yet, if you have a wicked sense of humor and a little free time, plant a few tarpits and enjoy making the offending machines' lives a little more agonizing. =)
Netfilter Intro: http://www.knowplace.org/netfilter/ (view info about the --limit-burst and --limit options) Tarpits Info: http://www.hackbusters.net/LaBrea/ jb leon wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > If you are worried about being overloaded by this traffic, (or any > undesirable traffic for that matter), why not just throw them in your > edge router's acls? After that why not contact the owners of ip > after you do a whois on them? > > HTH, > > Leon > > - -----Original Message----- > From: Seth Keller [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, November 21, 2001 2:51 PM > To: [EMAIL PROTECTED] > Subject: Has anyone seen this before? > > We have been absolutely bombarbed for the last 3 hours from a range > of IP's which appear to be performing legitimate requests to port 80 > on our web server. Our T1 line has seen 100% utilization for the > last 3 hours. We are getting roughly 500-600 requests per minute > from a specific range of IP's. The IP addresses revolve around in > near perfect order. They start at 216.106.166.141 and roll up to > 216.106.166.207 before repeating. Any ideas? Thanks in advance. > > Seth Keller > Culver Community Schools > > -----BEGIN PGP SIGNATURE----- > Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com> > > iQA/AwUBO/6qA9qAgf0xoaEuEQL8EACbBtJKS9zIfQWqbX7ETqbQCgSNOTwAoMZl > ntlvP2/Mgr9tCf/7fRb/KTLE > =saY4 > -----END PGP SIGNATURE-----
