Full Disclosure mailing list archives
DDos counter measures
From: Laurent LEVIER <llevier () argosnet com>
Date: Thu, 14 Aug 2003 20:04:54 +0200
All, We found a simple solution to protect our IntraNet against the DDoS.Since the msblast.exe will SYN flood windowsupdate.com (or windowsupdate.microsoft.com) with 50 packets per second (according to our tests).
Since our IntraNet solves all its DNS queries through internal caches (mandatory bottleneck), we created windowsupdate.com & windowsupdate.microsoft.com zones in this bottleneck DNS. These are resolving to 127.0.0.1 with DNS wildcards.
After the Microsoft DNS TTL has expired (15 minutes is the worst TTL), we got confirm all known windowsupdate domains hosts (www.windowsupdate.com, windowsupdate.microsoft.com, v3.windowsupdate.microsoft.com & v4.windowsupdate.microsoft.com) were resolved to localhost.
We expect now the worm to flood the box it is hosted on and so preserving our IntraNet.
Hope this can help others. Brgrds Laurent LEVIEREquant Information Technology & Systems - Equant Security Organization - Internal Network (WAN IntraNet) - Systems & Networks Security Expert
Tel. CVN : 7223-1912, ext. (+33) 4 92 38 19 12 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: Re: Windows Dcom Worm planned DDoS, (continued)
- Re: Re: Windows Dcom Worm planned DDoS Sebastian Niehaus (Aug 13)
- Re: Windows Dcom Worm planned DDoS Reveret Julien (Aug 12)
- Re: Windows Dcom Worm planned DDoS Nick FitzGerald (Aug 12)
- RE: Windows Dcom Worm planned DDoS Wcc (Aug 12)
- Windows Dcom Worm Killer w g (Aug 13)
- Re: Windows Dcom Worm Killer Joey (Aug 13)
- Re: Windows Dcom Worm Killer Nick FitzGerald (Aug 13)
- Re: Windows Dcom Worm Killer and source code w g (Aug 13)
- Windows Dcom Worm Killer w g (Aug 13)
- RE: Windows Dcom Worm planned DDoS VBuster (Aug 12)
- RE: Windows Dcom Worm planned DDoS Chris Eagle (Aug 14)
- DDos counter measures Laurent LEVIER (Aug 14)
- Re: DDos counter measures Nick FitzGerald (Aug 14)
- Re: DDos counter measures Gael Martinez (Aug 14)
- Re: DDos counter measures Charles Ballowe (Aug 15)
- Re: DDos counter measures B3r3n (Aug 15)
- Re: DDos counter measures Vladimir Parkhaev (Aug 14)
- Re: DDos counter measures Matthew Lange (Aug 15)
- RE: Windows Dcom Worm planned DDoS Chris Eagle (Aug 14)
- Re: DDos counter measures B3r3n (Aug 15)