Re: DDos counter measures

["Matthew Lange" <matthew.lange () langeconsulting com>]

FYI - we tried this with the worm and it *doesn't* work.  msblast.exe
spoofed the source address as the loopback address handed out from our
DNS.  We instead created an empty windowsupdate.com zone.

- Matt

> All,
>
> We found a simple solution to protect our IntraNet against the DDoS.
>
> Since the msblast.exe will SYN flood windowsupdate.com (or
> windowsupdate.microsoft.com) with 50 packets per second (according to our
> tests).
>
> Since our IntraNet solves all its DNS queries through internal caches
> (mandatory bottleneck), we created windowsupdate.com &
> windowsupdate.microsoft.com zones in this bottleneck DNS. These are
> resolving to 127.0.0.1 with DNS wildcards.
>
> After the Microsoft DNS TTL has expired (15 minutes is the worst TTL), we
> got confirm all known windowsupdate domains hosts (www.windowsupdate.com,
> windowsupdate.microsoft.com, v3.windowsupdate.microsoft.com &
> v4.windowsupdate.microsoft.com) were resolved to localhost.
>
> We expect now the worm to flood the box it is hosted on and so preserving
> our IntraNet.
>
> Hope this can help others.
>
> Brgrds
>
> Laurent LEVIER
> Equant Information Technology & Systems - Equant Security Organization -
> Internal Network (WAN IntraNet) - Systems & Networks Security Expert
> Tel. CVN : 7223-1912, ext. (+33) 4 92 38 19 12
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html


-- 
Matthew Lange, CISSP
763-633-0100 home

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html