floods through our proxy

From: Jon Zobrist (jzobristat_private)
Date: Tue Jul 29 2003 - 13:47:45 PDT

Next message: Frank Knobbe: "RE: Scan of TCP 552-554"

Previous message: morning_wood: "[Full-Disclosure] DCOM RPC - DEVESTATING IN SCOPE"
Next in thread: mms: "Re: floods through our proxy"
Reply: mms: "Re: floods through our proxy"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

We have an old software proxy that clients surfed through.
It's discontinued and normally we have 50 clients or less still trying
to use it. In the last hour it's climbed to over 3000 so I did some
investigating.
It seems the same clients over and over are making massive amounts of
http queries. Since we don't proxy, we just forward to a page that says
product discontinued, and since that page is on a thttpd server, it
hasn't affected us.

However, it seems to be a DoS...I've got 8 IPs that were sending a
combined 40 requests/second listed in my firewall now.

Anyone else noticing any bursts in http traffic or known attacks?
-- 
Jon Zobrist 
CISSP
<jzobristat_private>

application/pgp-signature attachment: This is a digitally signed message part

Next message: Frank Knobbe: "RE: Scan of TCP 552-554"
Previous message: morning_wood: "[Full-Disclosure] DCOM RPC - DEVESTATING IN SCOPE"
Next in thread: mms: "Re: floods through our proxy"
Reply: mms: "Re: floods through our proxy"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Jul 30 2003 - 07:59:15 PDT