As it was written on Jul 29, thus Jon Zobrist spake unto incidents: Jon: Date: 29 Jul 2003 15:56:50 -0600 Jon: From: Jon Zobrist <jzobristat_private> Jon: To: incidents <incidentsat_private> Jon: Subject: new worm? or DDoS attack in progress Jon: Jon: Seems more and more clients are picking up the pace, as our proxy is Jon: getting more and more requests. Jon: in thttpd's logs it looks like Jon: Jon: Jon: IPADDRESS - - [29/Jul/2003:15:47:38 -0600] "UNKNOWN UNKNOWN" 400 0 "" Jon: "" Jon: Jon: each client seems to be making between 1 and 5 requests/second Is this log excerpt literal? Does it literally say "IPADDRESS" where the IP address should be? I cannot say Ive seen method of "UNKNOWN" for either Apache or IIS on my webservers, but I have seen entries such as this: 155.247.166.60 - - [29/Jul/2003:00:13:18 -0500] "- - HTTP/1.0" 500 239 Where 155.247.166.60 is our webserver proxy'ing to another webserver. Thanks Scott Birl http://concept.temple.edu/sysadmin/ Senior Systems Administrator Computer Services Temple University ====*====*====*====*====*====*====*====+====*====*====*====*====*====*====*====* --------------------------------------------------------------------------- ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Thu Jul 31 2003 - 07:41:34 PDT