Full Disclosure mailing list archives
Re: [normal] RE: Windows Dcom Worm planned DDoS
From: James Greenhalgh <james.greenhalgh () worldpay com>
Date: 12 Aug 2003 16:31:48 +0100
Interesting solution, but it doesn't address a couple of possible problems, firstly - how many hosts would they need? Secondly - can their link cope, no amount of front end victim boxes will help them there - if you get to filter a packet, the bandwidth damage has already been done. All depends on whether or not the 15th is mass explosion, or a cheap firework really. I dont think M$ want the bad press of poisoning the DNS until Christmas either ;) As an aside, it was really about time that someone slapped them in the face with something like this, that's visible enough for the suits to notice. james On Tue, 2003-08-12 at 14:13, opticfiber wrote:
Why not just setup a simple forward, that way all the traffic that would normally be intended for the windows update site would be diverted to a totally difrent host. See diagram below: Normal Site 192.168.1.111(window update.com) Setup to save M$ from worm forward Normal Site 192.168.1.111(windows.update.com) -----------------> 192.168.100.225(windows.offsite.update.com) By using this setup, you can filter everything except http requests. Further more, it'd be relativly simple to setup a rotating pool of difrent forwards to the main site. Meaning every time some one resolved windowsupdate.com the name resolved to a difrent ip address that still forwards to the main site. By using this setup the ddos can be spread out over several forwarding hosts and not even touch the main site. William Reyor TopSight - Discussions on computers and beyond http://www.topsight.net Andrew Thomas wrote:From: Chris Eagle [mailto:cseagle () redshift com] Sent: 12 August 2003 01:31 Subject: RE: [Full-disclosure] Windows Dcom Worm planned DDoS The IP is not hard coded. It does a lookup on "windowsupdate.com"Allowing the option for corporates and/or isp's to dns poison that to resolve to 127.0.0.1, or even dns race with tools like team teso's if one doesn't use internal/cacheing NS. Might save some traffic on 15 August. Alternative, route all traffic to the resolved IP addresses to /dev/null, but with the above, the traffic shouldn't even leave the machine in question. -- Andrew G. Thomas Hobbs & Associates Chartered Accountants (SA) (o) +27-(0)21-683-0500 (f) +27-(0)21-683-0577 (m) +27-(0)83-318-4070 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
-- James Greenhalgh <james.greenhalgh () worldpay com> _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Windows Dcom Worm planned DDoS Andrew Thomas (Aug 12)
- RE: Windows Dcom Worm planned DDoS Chris Eagle (Aug 12)
- RE: Windows Dcom Worm planned DDoS Andrew Thomas (Aug 12)
- Re: [normal] RE: Windows Dcom Worm planned DDoS opticfiber (Aug 12)
- Re: [normal] RE: Windows Dcom Worm planned DDoS martin f krafft (Aug 12)
- Re: [normal] RE: Windows Dcom Worm planned DDoS martin f krafft (Aug 12)
- RE: Re: [normal] RE: Windows Dcom Worm planned DDoS Marc Maiffret (Aug 12)
- RE: Windows Dcom Worm planned DDoS Andrew Thomas (Aug 12)
- Re: [normal] RE: Windows Dcom Worm planned DDoS James Greenhalgh (Aug 12)
- Re: [normal] RE: Windows Dcom Worm planned DDoS morning_wood (Aug 12)
- RE: Windows Dcom Worm planned DDoS Chris Eagle (Aug 12)
- RE: Windows Dcom Worm planned DDoS Andrew Thomas (Aug 12)
- Re: Windows Dcom Worm planned DDoS Franky Van Liedekerke (Aug 12)
- Re: Windows Dcom Worm planned DDoS Jeremiah Cornelius (Aug 12)
- RE: Windows Dcom Worm planned DDoS Nick FitzGerald (Aug 12)
- Re: Windows Dcom Worm planned DDoS Valdis . Kletnieks (Aug 13)
- Re: Windows Dcom Worm planned DDoS Max Valdez (Aug 15)
- Re: Windows Dcom Worm planned DDoS Valdis . Kletnieks (Aug 16)