> > I do agree with the measures they took. At 7pm CST today, Real Time had to do > the same thing, because of the load it was putting on the routers. The packet When they complain, tell them to patch their damn IIS. ;P > storm was effecting all services at Real Time. > > I do -not- agree with how they went about it. They should have given you a heads > up on what they are doing. I posted to all Real Time clients saying we needed to > take this drastic measure to insure quality of service for everyone. Kind of the > few must suffer for the many. > > So, I disabled port 80 to all client networks. I then logged (and I'm still > logging) all the deny attempts. > > We are getting over 500 CR2 hits every 600 seconds on just 1 network alone. I am > now going through the data and punching holes into it to allow traffic to > linux/apache servers. How about writing a script that uses ngrep or tcp dump to detect which of your customers are infected by codered, and drop only those off the net somehow. (Null route? Kick if a ppp user, etc...) And if you really want to get extreme, null route outside infected servers at your border router as well. When they complain, tell them to patch their damn IIS. ;P This is starting to sound a bit like ORBS. How hard would it to be to transparent proxy HTTP and check for codered at your border router or DSL router or wherever the biggest bottleneck is... I've been meaning to play with frame redirection or whatever they're calling it now.