Full Disclosure mailing list archives
AW: MS should point windowsupdate.com to 127.0. 0.1
From: Carsten.Truckenbrodt () Bertelsmann de
Date: Fri, 15 Aug 2003 08:33:57 +0200
Hi, This might be a bad idea. If you let windowsupdate.com resolve to 127.0.0.1 the following will happen: The worm uses spoofed IPs from the local /16 subnet as source address. Pointing all the syn packets to 127.0.0.1 will generate a RST packet from the local host to the spoofed IPs and spread traffic over the complete internal network. Even blocking or routing the normally resolved IP to Null0 will be a lot work because this domain is loadbalanced through the world. That means you get a different resolution depending on your ISP or place in the world. If you manipulate your DNS, you should give no A-Record back to the worm. With this the worm will not start attacking anything. So setting up a nameserver zone with only a SOA record will do the job for Saturday 0:00. Best Regards, Carsten Truckenbrodt Arvato systems Network Security -----Ursprüngliche Nachricht----- Von: Tobias Oetiker [mailto:oetiker () ee ethz ch] Gesendet: Freitag, 15. August 2003 00:15 An: full-disclosure () lists netsys com Cc: security () microsoft com Betreff: [Full-Disclosure] MS should point windowsupdate.com to 127.0.0.1 Folks, How about MS standing up for the mess, and changing their own DNS to point all request for windowsupdate.com and whatnot to 127.0.01 ? This will null the effect of the syn flood very effectively. Only proxies will be affected. As far as I see it, they will not be able to use these names productively for the foreseeable future anyways ... So they will have to issue an update for windows-updater thourgh other channels (like their homepage for example) to point it to a different web-site .. that should not be all that much of a problem. If MS does NOT make this change to their DNS, I can see many routers who are trying to track connections toppling over in interesting ways. Because the local techs have no clue, it will take the affected companies ages to get back on the net. tobi -- ______ __ _ /_ __/_ / / (_) Oetiker @ ISG.EE, ETZ J97, ETH, CH-8092 Zurich / // _ \/ _ \/ / System Manager, Time Lord, Coder, Designer, Coach /_/ \.__/_.__/_/ http://people.ee.ethz.ch/~oetiker +41(0)1-632-5286 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- AW: MS should point windowsupdate.com to 127.0. 0.1 Carsten . Truckenbrodt (Aug 15)