Re: Code Red : Any whitehouse.gov people around?

[Etaoin Shrdlu <shrdlu () deaddrop org>]

Sabri Berisha wrote:
> On Fri, 20 Jul 2001, Jasper Wallace wrote:
>
> > According to a recent post on bugtraq the worm is going to switch from
> > infecting webservers to DDOS'ing whitehouse.gov in about 1/2 an hour or so.
>
> Knowing that some of the colocated boxes in our network *might* be
> infected; I have placed a nullroute for 198.137.240.92 (the IP
> www.whitehouse.gov resolves to).

Wrong IP to blackhole. Oops. I've copied the bugtraq post below for
those of who are not subscribed, who might have missed it, or are
overwhelmed. 

> > On Thu, 19 Jul 2001, Laurence Hand wrote:
>
> > I believe the DDoS started an hour and a half ago, at 5:00 PDT (0:00 UTC,
> > the next day).  I was getting 5-10 attempts an hour, and I've had 0
> > since 4:43:29 PDT.
> >
> > Folks will notice that www.whitehouse.gov is still accessible.  The worm
> > authors only put in one IP address, the one for www1.whitehouse.gov.  BBN
> > (who appears to be the provider for whitehouse.gov, according to my
> > tracert) has blocked that single IP address at their peering points.  So
> > www2.whitehouse.gov is still running just fine.
> >
> > Presumably, www.whitehouse.gov used to be RR DNS between the two.  Now,
> > www.whitehouse.gov resolves to just 198.137.240.92, and it has a TTL of
> > only 872.
> >
> > For a relatively clever worm, the author sure screwed up his target list.
> > Whoops.

Best to change that nullroute to www1.whitehouse.gov, and let up on
www2.

Name:    www1.whitehouse.gov
Address:  198.137.240.91

Name:    www2.whitehouse.gov
Address:  198.137.240.92

--
Powered by Guiness.

Feds never "take a vacation" from being a fed.
    Aj Effin ReznoR