RE: DDos counter measures

[Roland Arendes <Roland.Arendes () de flextronics com>]

As far as I can see microsoft already fixed the situation, there won't be
any dDoS. Can someone confirm this?
The dns record of windowsupdate.com is empty/deleted.

To your question: this 127.0.0.1-thing is a very bad idea, because the worm
will use spoofed source ip adresses from your local network. the machine
itself (127.0.0.1) will flood RST-packets cause of the closed port through
your local network (nice thing ;)

And no: windowsupdate.microsoft.com is not needed as it is not resolved by
the worm

> -----Original Message-----
> From: vogt () hansenet com [mailto:vogt () hansenet com] 
> Sent: Freitag, 15. August 2003 09:43
> To: llevier () argosnet com; full-disclosure () lists netsys com
> Subject: AW: [Full-disclosure] DDos counter measures
>
>
> > Since our IntraNet solves all its DNS queries through 
> internal caches
> > (mandatory bottleneck), we created windowsupdate.com & 
> > windowsupdate.microsoft.com zones in this bottleneck DNS. These are 
> > resolving to 127.0.0.1 with DNS wildcards.
>
> Is it necessary to add windowsupdate.microsoft.com to this? 
> So far, all analysis indicated that it attacks 
> windowsupdate.com, the old legacy site. Or did I miss something?
>
>
> best regards / mit freundlichen Gruessen,
>
> Tom Vogt
> Hansenet Webfarm Security 
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html