- To: outages-list@eskimo.com, eskimo-announce@eskimo.com
- Subject: Cyber-Terrorism
- From: Robert Dinse <nanook@eskimo.com>
- Date: Tue, 18 Sep 2001 11:02:39 -0700 (PDT)
- Newsgroups: lobby, announcements
- Resent-Date: Tue, 18 Sep 2001 11:02:48 -0700
- Resent-From: outages-list@eskimo.com
- Resent-Message-ID: <"ezPz32.0.JD2.6nufx"@mx1>
- Resent-Sender: outages-list-request@eskimo.com
- Prev by Date: User Meeting this Sunday
- Next by Date: New Virus Sept 19th (fwd)
- Prev by thread: New Virus Sept 19th (fwd)
- Next by thread: User Meeting this Sunday
- Index(es):
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Cyber-Terrorism
The crashes of the file server today have been caused by a new computer
virus that has rapidly spread across the Internet.
It appears to be a Code Red variant, and like Code Red it attacks
Microsoft Windows-NT based web servers and then when it infects a machine
attempts to infect others.
Our server isn't NT based, but we are getting so many hits from infected
NT servers that it's running our machine, with 768MB of RAM, out of memory
because it has to fork an apache process for each request.
The requests are coming in at rates exceeded 60/second, where the normal
traffic our webserver handles peaks at around 25/second. This was completely
saturating our T1's outbound. I took off the long 404 page we normally return
so that it would at least reduce the outgoing load and I've throttled the
number of Apache processes to 256.
This will make the web server response slower but at this point it's a
choice between it being slow and dying instantly.
In all the years I've been running an ISP, this is the first virus I've
seen that was sufficiently virulent to completely saturate facilities or
servers. The CERT website already had this listed on their current activity
when I checked and I reported it to the FBI as well and they say they've also
been swamped with calls.