It would be interesting to unblock one of the "bad" IP's with tcpdump 
running to capture traffic to/from that address and see what the whole 
conversation looks like.  That may give a better idea as to what's 
happening (and in turn why Apache is not logging it)

John

At 05:50 PM 9/7/2001, Stephen M Jones wrote:
>Hi Folks ..
>
>I was able to subdue the 'port flooding' for now.  Basically, as odd
>as it may seem, those requests were being sent from legitimate IP
>addresses.  It was a carefully planned and organised attack and I've
>notified each network.  Not unlike some we've seen before in the past.
>
>The tools I used:  tcpdump, sed, awk, ksh, and ipf ..
>
>Basically I took down the webserver and used tcpdump to listen to
>attempts to connect to port 80:
>
>tcpdump -n host ip and port 80
>
>and wrote it out to a file.
>
>I checked back in 45 minutes to generate a list of IP addresses and
>how many requests were made using ksh sed and awk .. which then wrote
>firewall rules for those IPs and ipf ate that .. the ping times went
>down and I could then bring the webserver backup.  I'm monitoring
>for any lower bandwidth sites that were involved.  As Chris suggested
>its a bit of a pain to weed out malicious from poxy cache, but I'm
>doing what I can.  They were mostly from Eastern Europe (our network
>is in the western united states).
>
>I'd like to say thank you for your suggestions and participation in
>the thread..  Thank you!
>
>SMJ


John Pettitt                                     Email: jpp@cloudview.com

"We do not inherit the Earth from our ancestors, ...
                 ... we borrow it from our children"
                                         Ralph Waldo Emerson

PGP keys at http://www.cloudview.com/images/JPPPGP.asc
Fingerprint: 81B5 446D 3E0E 1CDE 5A45  644A A744 54C4 7886 3658