> - NIMDA & Co never use proxies, so the danger of blocking all of AOL > doesn't exist. (I'm not saying this would be a bad thing though =)
Well, yes and no. Remember that some organizations have a large number of users sitting behind proxy servers that client requests are automatically redirected to using layer-7 switches. Any boxes running IIS behind a setup like this that get whacked by 'Nimda & Co' will appear to the outside world to be coming from one (or a couple) of IP addresses... those of the proxy server(s). Thus, blocking anything coming from this, or these couple, of IP addresses could deny a whole bunch of users access to your network. It's something to think about before _automating_ the denial of resources to 'hostile' hosts... such as someone who may figure out what you're doing and spoof the root DNS server's addresses as the source of the 'hostile traffic'. =) Seriously, if you're going to automate stuff like this, make sure you have a good whitelist. Thanks, Abe -- Abe L. Getchell Security Engineer [EMAIL PROTECTED]
