Re: [cobalt-security] NIMDA Attacks - Anyway to deny requests?

[Jeremy Hull <jeremy@xxxxxxxxxxxx>]

Your server(s) are already denying the request... think about it... all you would be
doing is stopping the logging, your cpu overhead will probably remain the same. The
cpu overhead you gain from not logging will probably be replaced by the little bit
extra it takes to filter the request. The packets are still going to hit your box, so
unless you can filter them through a very clever designed firewall, you're probably
not going to see any improvement to server performance.

David Yates Buckley wrote:
> 
> Yes, me too,
> 
> Could some kind soul tell us what we could do to httpd.conf to just
> ignore and drop all requests .*\.exe.*
> I am eager to not break anything in there but would love to not have to
> watch my log files grow with junk.
> 
> yates
> 
> At 11:49 AM 9/20/01 -0700, you wrote:
> >Hi all,
> >
> >I'm wondering if there's a way to deny requests to the folders NIMDA attacks
> >are requesting?
> >
> >I see in my log there are key folders being scanned/requested:
> >
> >/scripts/
> >/c/winnt/
> >/d/winnt/
> >/MSADC/
> >/_vti_bin/
> >/_mem_bin/
> >
> >And many upper/lowercase combinations.  I know that Cobalt/*nix servers wont
> >get "infected" by the virus (I think).  But the shear volume of requests are
> >so high, that server performance is suffering.  Would denying requests have
> >an affect on server performance, if it's even possible.
> >
> >Any suggestions are appreciated.
> >
> >Best regards,
> >Ervin Tarkhanian
> >
> >_______________________________________________
> >cobalt-security mailing list
> >cobalt-security@xxxxxxxxxxxxxxx
> >http://list.cobalt.com/mailman/listinfo/cobalt-security
> >
> >
> 
> _______________________________________________
> cobalt-security mailing list
> cobalt-security@xxxxxxxxxxxxxxx
> http://list.cobalt.com/mailman/listinfo/cobalt-security