This may sound like a dumb question, but isn't it possible to filter out
inbound http GET requests on port 80 from being passed on to client networks
when the request is longer than N bytes, where "N" is something reasonable,
like say 512?

And if so, wouldn't this "cure" the CodeRed problem?

-S

Bob Tanner wrote:
> 
> Quoting Steve Siegfried (sos at zjod.net):
> > Folks,
> > 
> > I was wondering why my WWW hit monitors suddenly went to zero.  Then I
> > checked and found out why:  No hits.  When I logged into my backup ISP and
> > tried "lynx http://zjod.net", I got, "Unable to contact remote host." I also
> > checked ftp, ssh, and telnet, which all worked.  Only http access wasn't
> > going through.
> 
> I do agree with the measures they took. At 7pm CST today, Real Time had to do
> the same thing, because of the load it was putting on the routers. The packet
> storm was effecting all services at Real Time.
> 
> I do -not- agree with how they went about it. They should have given you a heads
> up on what they are doing. I posted to all Real Time clients saying we needed to
> take this drastic measure to insure quality of service for everyone. Kind of the
> few must suffer for the many.
> 
> So, I disabled port 80 to all client networks. I then logged (and I'm still
> logging) all the deny attempts.  
> 
> We are getting over 500 CR2 hits every 600 seconds on just 1 network alone. I am
> now going through the data and punching holes into it to allow traffic to
> linux/apache servers.
> 
> 
> -- 
> Bob Tanner <tanner at real-time.com>       | Phone : (952)943-8700
> http://www.mn-linux.org                 | Fax   : (952)943-8500
> Key fingerprint =  6C E9 51 4F D5 3E 4C 66 62 A9 10 E5 35 85 39 D9 
> 
> _______________________________________________
> tclug-list mailing list
> tclug-list at mn-linux.org
> https://mailman.mn-linux.org/mailman/listinfo/tclug-list
>