> I don't actually see how any attempts to block the traffic at your host
will
> prevent you being charged for that traffic.
That's easy to answer. If they can't connect to your web server (because
of iptables) then they can't send the HTTP request and your server doesn't
have to return it's error page. You also need to know that these attacks
seem to come in groups of 12 requests. If you take a hit on the first one
you can still block the remaining 11.
Using my server logs for last month
Virus generated requests: 10,000
Average request size: 500 bytes (plus TCP/IP overhead)
Total traffic from viruses: 5MB without blocking, 0.4MB with blocking
The figures on my server are pretty small. One of my previous employers
has an error page that is nearly 8k. With the same 10,000 hits there figures
would be more like 80MB without blocking and 6MB with.
> It may stop filling up your logs if you are running an active web server,
> but for the effort logs are fairly cheap things.
It's got nothing to do with running an active web server. I started
getting virus generated requests within 15 minutes of setting up my server.
My web server traffic is fairly low (because the server is mostly for
friends e-mail) and it's out stripped 10-1 by virus generated requests.
> The only useful thing I see in this would be to alert dumb NT admins that
> their boxes have worms and need cleaning out ASAP...
In my experience a pointless exercise that usually results in discovering
that it's someone's desktop (if you can find real person). While leaving a
file on their desktop might sound like a good idea all it takes is an idiot
user that thinks you are hacking his machine and suddenly you're on the
wrong side of the law. :(
Rich
--
SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
More Info: http://lists.slug.org.au/listinfo/slug
