Full Disclosure mailing list archives
RE: DDos counter measures
From: Roland Arendes <Roland.Arendes () de flextronics com>
Date: Fri, 15 Aug 2003 16:58:05 +0200
As far as I can see microsoft already fixed the situation, there won't be any dDoS. Can someone confirm this? The dns record of windowsupdate.com is empty/deleted. To your question: this 127.0.0.1-thing is a very bad idea, because the worm will use spoofed source ip adresses from your local network. the machine itself (127.0.0.1) will flood RST-packets cause of the closed port through your local network (nice thing ;) And no: windowsupdate.microsoft.com is not needed as it is not resolved by the worm
-----Original Message----- From: vogt () hansenet com [mailto:vogt () hansenet com] Sent: Freitag, 15. August 2003 09:43 To: llevier () argosnet com; full-disclosure () lists netsys com Subject: AW: [Full-disclosure] DDos counter measuresSince our IntraNet solves all its DNS queries throughinternal caches(mandatory bottleneck), we created windowsupdate.com & windowsupdate.microsoft.com zones in this bottleneck DNS. These are resolving to 127.0.0.1 with DNS wildcards.Is it necessary to add windowsupdate.microsoft.com to this? So far, all analysis indicated that it attacks windowsupdate.com, the old legacy site. Or did I miss something? best regards / mit freundlichen Gruessen, Tom Vogt Hansenet Webfarm Security _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- RE: DDos counter measures Roland Arendes (Aug 15)