Full Disclosure mailing list archives
Re: DDos counter measures
From: "Matthew Lange" <matthew.lange () langeconsulting com>
Date: Thu, 14 Aug 2003 23:00:56 -0500 (CDT)
FYI - we tried this with the worm and it *doesn't* work. msblast.exe spoofed the source address as the loopback address handed out from our DNS. We instead created an empty windowsupdate.com zone. - Matt
All, We found a simple solution to protect our IntraNet against the DDoS. Since the msblast.exe will SYN flood windowsupdate.com (or windowsupdate.microsoft.com) with 50 packets per second (according to our tests). Since our IntraNet solves all its DNS queries through internal caches (mandatory bottleneck), we created windowsupdate.com & windowsupdate.microsoft.com zones in this bottleneck DNS. These are resolving to 127.0.0.1 with DNS wildcards. After the Microsoft DNS TTL has expired (15 minutes is the worst TTL), we got confirm all known windowsupdate domains hosts (www.windowsupdate.com, windowsupdate.microsoft.com, v3.windowsupdate.microsoft.com & v4.windowsupdate.microsoft.com) were resolved to localhost. We expect now the worm to flood the box it is hosted on and so preserving our IntraNet. Hope this can help others. Brgrds Laurent LEVIER Equant Information Technology & Systems - Equant Security Organization - Internal Network (WAN IntraNet) - Systems & Networks Security Expert Tel. CVN : 7223-1912, ext. (+33) 4 92 38 19 12 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
-- Matthew Lange, CISSP 763-633-0100 home _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: Windows Dcom Worm Killer, (continued)
- Re: Windows Dcom Worm Killer Nick FitzGerald (Aug 13)
- Re: Windows Dcom Worm Killer and source code w g (Aug 13)
- RE: Windows Dcom Worm planned DDoS VBuster (Aug 12)
- RE: Windows Dcom Worm planned DDoS Chris Eagle (Aug 14)
- DDos counter measures Laurent LEVIER (Aug 14)
- Re: DDos counter measures Nick FitzGerald (Aug 14)
- Re: DDos counter measures Gael Martinez (Aug 14)
- Re: DDos counter measures Charles Ballowe (Aug 15)
- Re: DDos counter measures B3r3n (Aug 15)
- Re: DDos counter measures Vladimir Parkhaev (Aug 14)
- Re: DDos counter measures Matthew Lange (Aug 15)
- RE: Windows Dcom Worm planned DDoS Chris Eagle (Aug 14)
- Message not available
- Re: DDos counter measures B3r3n (Aug 15)