Full Disclosure mailing list archives

Re: DDos counter measures

From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Fri, 15 Aug 2003 11:14:08 +1200

Laurent LEVIER <llevier () argosnet com> wrote:

We found a simple solution to protect our IntraNet against the DDoS.


"simple" -- yes.

"solution" -- ???

Since the msblast.exe will SYN flood windowsupdate.com (or 
windowsupdate.microsoft.com) with 50 packets per second (according to our 
tests).

Since our IntraNet solves all its DNS queries through internal caches 
(mandatory bottleneck), we created windowsupdate.com & 
windowsupdate.microsoft.com zones in this bottleneck DNS. These are 
resolving to 127.0.0.1 with DNS wildcards.

After the Microsoft DNS TTL has expired (15 minutes is the worst TTL), we 
got confirm all known windowsupdate domains hosts (www.windowsupdate.com, 
windowsupdate.microsoft.com, v3.windowsupdate.microsoft.com & 
v4.windowsupdate.microsoft.com) were resolved to localhost.

We expect now the worm to flood the box it is hosted on and so preserving 
our IntraNet.

Hope this can help others.


This is moronic.

Unless you know of some variant the rest of us have not seen yet, the 
"Blaster" worm only attacks windowsupdate.com as resolved through the 
DNS.  Yes, normally plugging windowsupdate.com into your web browser 
redirects you to somewhere at windowsupdate.microsoft.com (which is 
probably a networkologically close Akamai box ??), but the worm simply 
does a DNS lookup for "windowsupdate.com".

Thus, blocking all those other domains is stupid, as those are needed 
for "normal" Windows Update to work (reputedly "windowsupdate.com" has 
not been used by the Windows Update tools for quite some time, if 
ever).

If network admins feel they really must do something like this, limit 
it to match the domains that the worm specifically asks the DNS to 
resolve.  To date (touch wood) that is "windowsupdate.com".


-- 
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

Re: Windows Dcom Worm planned DDoS, (continued)
- - - Re: Windows Dcom Worm planned DDoS Reveret Julien (Aug 12)
    - Re: Windows Dcom Worm planned DDoS Nick FitzGerald (Aug 12)
- RE: Windows Dcom Worm planned DDoS Wcc (Aug 12)
  - Windows Dcom Worm Killer w g (Aug 13)
    - Re: Windows Dcom Worm Killer Joey (Aug 13)
    - Re: Windows Dcom Worm Killer Nick FitzGerald (Aug 13)
    - Re: Windows Dcom Worm Killer and source code w g (Aug 13)
- RE: Windows Dcom Worm planned DDoS VBuster (Aug 12)
  - RE: Windows Dcom Worm planned DDoS Chris Eagle (Aug 14)
    - DDos counter measures Laurent LEVIER (Aug 14)
    - Re: DDos counter measures Nick FitzGerald (Aug 14)
    - Re: DDos counter measures Gael Martinez (Aug 14)
    - Re: DDos counter measures Charles Ballowe (Aug 15)
    - Re: DDos counter measures B3r3n (Aug 15)
    - Re: DDos counter measures Vladimir Parkhaev (Aug 14)
    - Re: DDos counter measures Matthew Lange (Aug 15)
  - Message not available
    - Re: DDos counter measures B3r3n (Aug 15)