Full Disclosure mailing list archives
RE: MSBlast DDoS
From: "Chris Eagle" <cseagle () redshift com>
Date: Wed, 13 Aug 2003 05:35:24 -0700
The DDoS packets should go straight to your firewall. They are raw IP packets crafted with the windowsupdate.com ip address as the destination, not that of your proxy server, so they should be sent to your gateway device. The source IP is randomized in various ways so probably won't appear to originate from within your network. The source MAC should be traceable back to the infected machine however. Chris -----Original Message----- From: full-disclosure-admin () lists netsys com [mailto:full-disclosure-admin () lists netsys com]On Behalf Of Jasper Blackwell Sent: Wednesday, August 13, 2003 12:03 AM To: full-disclosure () lists netsys com Subject: [Full-disclosure] MSBlast DDoS Does anyone know if the DoS which works on port 80, according to the Eeye advisory, is going to go through the proxy servers or just straight to the firewall? I would guess it will go through the proxy servers. Also any clues what to look for on the firewall logs? Again if it goes through the proxy servers I suppose looking for a lot of traffic from our proxies to the windows update site, using TCP traffic. Jasp _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- MSBlast DDoS Jasper Blackwell (Aug 13)
- RE: MSBlast DDoS Chris Eagle (Aug 13)
- Re: MSBlast DDoS Benjamin M.A. Robson (Aug 13)
- Re: MSBlast DDoS Steffen Kluge (Aug 14)
- Re: MSBlast DDoS Benjamin M.A. Robson (Aug 13)
- RE: MSBlast DDoS Chris Eagle (Aug 13)