Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [normal] RE: Windows Dcom Worm planned DDoS

From: James Greenhalgh <james.greenhalgh () worldpay com>
Date: 12 Aug 2003 16:31:48 +0100
Interesting solution, but it doesn't address a couple of possible
problems, firstly - how many hosts would they need?  Secondly - can
their link cope, no amount of front end victim boxes will help them
there - if you get to filter a packet, the bandwidth damage has already
been done.  All depends on whether or not the 15th is mass explosion, or
a cheap firework really.  I dont think M$ want the bad press of
poisoning the DNS until Christmas either ;)

As an aside, it was really about time that someone slapped them in the
face with something like this, that's visible enough for the suits to
notice.

james



On Tue, 2003-08-12 at 14:13, opticfiber wrote:

Why not just setup a simple forward, that way all the traffic that would 
normally be intended for the windows update site would be diverted to a 
totally difrent host. See diagram below:

Normal Site
192.168.1.111(window update.com)

Setup to save M$ from  worm                     forward                
Normal Site
192.168.1.111(windows.update.com)  ----------------->  
192.168.100.225(windows.offsite.update.com)

By using this setup, you can filter everything except  http requests. 
Further more, it'd be relativly simple to setup a rotating pool of 
difrent forwards to the main site. Meaning every time some one resolved 
windowsupdate.com the name resolved to a difrent ip address that still 
forwards to the main site. By using  this setup the ddos can be spread 
out over several forwarding hosts and not even touch the main site.


William Reyor
TopSight - Discussions on computers and beyond
http://www.topsight.net

Andrew Thomas wrote:


From: Chris Eagle [mailto:cseagle () redshift com] 
Sent: 12 August 2003 01:31
Subject: RE: [Full-disclosure] Windows Dcom Worm planned DDoS


The IP is not hard coded.  It does a lookup on "windowsupdate.com"
   



Allowing the option for corporates and/or isp's to dns poison that
to resolve to 127.0.0.1, or even dns race with tools like team teso's
if one doesn't use internal/cacheing NS.

Might save some traffic on 15 August. Alternative, route all traffic
to the resolved IP addresses to /dev/null, but with the above, the
traffic shouldn't even leave the machine in question.

--
Andrew G. Thomas
Hobbs & Associates Chartered Accountants (SA)
(o) +27-(0)21-683-0500
(f) +27-(0)21-683-0577
(m) +27-(0)83-318-4070 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


 





_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

-- 
James Greenhalgh <james.greenhalgh () worldpay com>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Previous By Date Next
Previous By Thread Next

Current thread: