Full Disclosure mailing list archives
RE: msblast DDos counter measures
From: "Marc Maiffret" <marc () eeye com>
Date: Thu, 14 Aug 2003 14:57:47 -0700
Yah this has been mentioned a few times although I am not sure why your blackhole windowsupdate.microsoft.com therefore keeping machines from using windows update to get patches. the worm only hits windowsupdate.com itself so you only need to 127.0.0.1 that. unless I am missing something, like your just wanting to be overly paranoid or something? Signed, Marc Maiffret Chief Hacking Officer eEye Digital Security T.949.349.9062 F.949.349.9538 http://eEye.com/Retina - Network Security Scanner http://eEye.com/Iris - Network Traffic Analyzer http://eEye.com/SecureIIS - Stop known and unknown IIS vulnerabilities | -----Original Message----- | From: full-disclosure-admin () lists netsys com | [mailto:full-disclosure-admin () lists netsys com]On Behalf Of B3r3n | Sent: Thursday, August 14, 2003 11:10 AM | To: full-disclosure () lists netsys com | Subject: [Full-disclosure] msblast DDos counter measures | | | All, | | We found a simple solution to protect our IntraNet against the DDoS. | | Since the msblast.exe will SYN flood windowsupdate.com (or | windowsupdate.microsoft.com) with 50 packets per second (according to our | tests). | | Since our IntraNet solves all its DNS queries through internal caches | (mandatory bottleneck), we created windowsupdate.com & | windowsupdate.microsoft.com zones in this bottleneck DNS. These are | resolving to 127.0.0.1 with DNS wildcards. | | After the Microsoft DNS TTL has expired (15 minutes is the worst TTL), we | got confirm all known windowsupdate domains hosts (www.windowsupdate.com, | windowsupdate.microsoft.com, v3.windowsupdate.microsoft.com & | v4.windowsupdate.microsoft.com) were resolved to localhost. | | We expect now the worm to flood the box it is hosted on and so preserving | our IntraNet. | | Hope this can help others. | | Brgrds | | Laurent LEVIER | Equant Information Technology & Systems - Equant Security Organization - | Internal Network (WAN IntraNet) - Systems & Networks Security Expert | Tel. CVN : 7223-1912, ext. (+33) 4 92 38 19 12 | | | _______________________________________________ | Full-Disclosure - We believe in it. | Charter: http://lists.netsys.com/full-disclosure-charter.html | _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- msblast DDos counter measures B3r3n (Aug 14)
- MS should point windowsupdate.com to 127.0.0.1 Tobias Oetiker (Aug 14)
- RE: MS should point windowsupdate.com to 127.0.0.1 Jeroen Massar (Aug 14)
- RE: MS should point windowsupdate.com to 127.0.0.1 Steffen Kluge (Aug 15)
- RE: MS should point windowsupdate.com to 127.0.0.1 Jeroen Massar (Aug 14)
- RE: msblast DDos counter measures Marc Maiffret (Aug 14)
- RE: msblast DDos counter measures Laurent LEVIER (Aug 15)
- MS should point windowsupdate.com to 127.0.0.1 Tobias Oetiker (Aug 14)