Full Disclosure mailing list archives
MSBlast DDoS
From: "Jasper Blackwell" <jasper599 () hotmail com>
Date: Wed, 13 Aug 2003 08:02:49 +0100
Hi All,I should have kept on reading the list after TC's post and I would have found the answer to my question, doh :). It's early here and I hadn't had any caffine yet, always a bad idea trying to think before my morning caffine :).
Anyway another question for you all. We are having some success here tracking infected machines by looking for dropped 135 connection attempts to Internet IP addresses on our Internet firewall log. I am wondering what the DoS traffic is going to look like on our firewall logs should any infections still be with us on the 16th. Our setup requires PCs to connect to the Internet through proxy servers and those proxy servers IP addresses are allowed through the firewall, the PC's IP address ranges are not.
Does anyone know if the DoS which works on port 80, according to the Eeye advisory, is going to go through the proxy servers or just straight to the firewall? I would guess it will go through the proxy servers.
Also any clues what to look for on the firewall logs? Again if it goes through the proxy servers I suppose looking for a lot of traffic from our proxies to the windows update site, using TCP traffic.
Jasp _________________________________________________________________ Hotmail messages direct to your mobile phone http://www.msn.co.uk/msnmobile _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- MSBlast DDoS Jasper Blackwell (Aug 13)
- RE: MSBlast DDoS Chris Eagle (Aug 13)
- Re: MSBlast DDoS Benjamin M.A. Robson (Aug 13)
- Re: MSBlast DDoS Steffen Kluge (Aug 14)
- Re: MSBlast DDoS Benjamin M.A. Robson (Aug 13)
- RE: MSBlast DDoS Chris Eagle (Aug 13)