> -----Original Message----- > From: Ken Schaefer [mailto:ken at adOpenStatic.com] > Sent: Wednesday, December 18, 2002 4:21 PM > To: thelist at lists.evolt.org > Subject: Re: [thelist] code red making a mess of logs > > > a) Use a firewall how would using a firewall help? aren't these attacks directed at port 80? if so, a firewall wouldn't do much since he needs to keep port 80 open for his legit website. let me know if i'm wrong. > -or- > b) If you're using IIS, use the IIS Lockdown tool to install > URLScan - this > is an ISAPI filter which will block these types of requests > (and log them to > it's own logfile) you may already know this ken but i thought i'd mention it to everyone else. urlscan does not require that iis lockdown be installed. it can be used alone. another thing is that although urlscan does send the real requests to a different log, it still logs the attempts in the real logs. the only difference is that they do not contain any information. i don't remember exactly what they look like in the logs, but they look something like this... <date_time> 404 - - - - - - - - - - anyways, just thought i'd mention it. > -or- > c) Use a host-header. The attack is directed at the IP > address. If there's > no website listening on that IP address alone, nothing will > get logged. could you explain this in a little more detail? i'm not sure how this would be setup. (not because i don't think it would work, just because i don't know exactly what you mean.) chris.