Full Disclosure mailing list archives
Re: DDos counter measures
From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Fri, 15 Aug 2003 11:14:08 +1200
Laurent LEVIER <llevier () argosnet com> wrote:
We found a simple solution to protect our IntraNet against the DDoS.
"simple" -- yes. "solution" -- ???
Since the msblast.exe will SYN flood windowsupdate.com (or windowsupdate.microsoft.com) with 50 packets per second (according to our tests). Since our IntraNet solves all its DNS queries through internal caches (mandatory bottleneck), we created windowsupdate.com & windowsupdate.microsoft.com zones in this bottleneck DNS. These are resolving to 127.0.0.1 with DNS wildcards. After the Microsoft DNS TTL has expired (15 minutes is the worst TTL), we got confirm all known windowsupdate domains hosts (www.windowsupdate.com, windowsupdate.microsoft.com, v3.windowsupdate.microsoft.com & v4.windowsupdate.microsoft.com) were resolved to localhost. We expect now the worm to flood the box it is hosted on and so preserving our IntraNet. Hope this can help others.
This is moronic. Unless you know of some variant the rest of us have not seen yet, the "Blaster" worm only attacks windowsupdate.com as resolved through the DNS. Yes, normally plugging windowsupdate.com into your web browser redirects you to somewhere at windowsupdate.microsoft.com (which is probably a networkologically close Akamai box ??), but the worm simply does a DNS lookup for "windowsupdate.com". Thus, blocking all those other domains is stupid, as those are needed for "normal" Windows Update to work (reputedly "windowsupdate.com" has not been used by the Windows Update tools for quite some time, if ever). If network admins feel they really must do something like this, limit it to match the domains that the worm specifically asks the DNS to resolve. To date (touch wood) that is "windowsupdate.com". -- Nick FitzGerald Computer Virus Consulting Ltd. Ph/FAX: +64 3 3529854 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: Windows Dcom Worm planned DDoS, (continued)
- Re: Windows Dcom Worm planned DDoS Reveret Julien (Aug 12)
- Re: Windows Dcom Worm planned DDoS Nick FitzGerald (Aug 12)
- RE: Windows Dcom Worm planned DDoS Wcc (Aug 12)
- Windows Dcom Worm Killer w g (Aug 13)
- Re: Windows Dcom Worm Killer Joey (Aug 13)
- Re: Windows Dcom Worm Killer Nick FitzGerald (Aug 13)
- Re: Windows Dcom Worm Killer and source code w g (Aug 13)
- Windows Dcom Worm Killer w g (Aug 13)
- RE: Windows Dcom Worm planned DDoS VBuster (Aug 12)
- RE: Windows Dcom Worm planned DDoS Chris Eagle (Aug 14)
- DDos counter measures Laurent LEVIER (Aug 14)
- Re: DDos counter measures Nick FitzGerald (Aug 14)
- Re: DDos counter measures Gael Martinez (Aug 14)
- Re: DDos counter measures Charles Ballowe (Aug 15)
- Re: DDos counter measures B3r3n (Aug 15)
- Re: DDos counter measures Vladimir Parkhaev (Aug 14)
- Re: DDos counter measures Matthew Lange (Aug 15)
- RE: Windows Dcom Worm planned DDoS Chris Eagle (Aug 14)
- Re: DDos counter measures B3r3n (Aug 15)