I would recommend the switch to a new IP address. Use DNS Round Robin (assuming you can multi-home) for the transition period and once TTL's have expired eliminate the exploited address. Rob -----Original Message----- From: zcatat_private [mailto:zcatat_private] Sent: Friday, August 30, 2002 2:48 AM Cc: incidentsat_private Subject: RE: [incidents] Bots hitting my web server? > You're not seeing bots, you're seeing surfers in a misguided > attempt to keep their "anonymity," or to defeat proxies > that filter by domain/host in corporate/school environments > (hence the porn site requests you see in your logs). Here's another suggestion. Reconfigure apache so that every time someone attempts to use it as a proxy it returns (in the appropriate format; html, jpg, etc to match the request) a small message announcing that the request and client IP are being logged to a publically accessable web page. On that web page explain WHY you're doing this (cost of bandwidth etc). That should get you off the end-user's proxy lists very quickly, and will eventually help with the public lists too. And it'll educate a few of the proxy-list users who are probably under the impression that all proxies are run intentionally as a public service, like IRC servers and MUD's. ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Sep 02 2002 - 10:08:23 PDT