nanog mailing list archives
Re: The impending DDoS storm
From: Jeff Kell <jeff-kell () utc edu>
Date: Thu, 14 Aug 2003 23:02:08 -0400
Dan Hollis wrote:
On Wed, 13 Aug 2003, Jason Frisvold wrote:If the blaster cannot get a proper DNS response, it continues to replicate via port 135... It then goes into a retry cycle and continues to try to get a good DNS lookup.
has anyone tried tarpitting eg labrea to slow the worm?
Oh yeah, LaBrea sticks 'em *REAL* good...
LaBrea::Tarpit SOURCE IP's 15223 total threads captured, from these 109 IP addresses
LaBrea makes it look like the exploit worked, and it hangs up the worm trying to send the command to 4444. Thread counts get as high as 2546 (as of now) which is 10x the subnet block where the tarpit lives. Had more like 30K threads until this morning when we had a power outage that outlived my small UPS so the numbers above are since ~9:30 EST this morning.
Jeff
Current thread:
- The impending DDoS storm Jason Frisvold (Aug 13)
- Re: The impending DDoS storm Stephen J. Wilcox (Aug 13)
- Re: The impending DDoS storm Randy Bush (Aug 13)
- <Possible follow-ups>
- RE: The impending DDoS storm Jason Frisvold (Aug 13)
- RE: The impending DDoS storm Jason Frisvold (Aug 13)
- Re: The impending DDoS storm Jack Bates (Aug 13)
- Re: The impending DDoS storm Lloyd Taylor (Aug 13)
- Re: The impending DDoS storm Jason Frisvold (Aug 13)
- Re: The impending DDoS storm Dan Hollis (Aug 13)
- Re: The impending DDoS storm Aaron Hopkins (Aug 13)
- Re: The impending DDoS storm Jeff Kell (Aug 14)
- Re: The impending DDoS storm Jack Bates (Aug 13)
- Re: The impending DDoS storm Jack Bates (Aug 13)
- Re: The impending DDoS storm Mark Vallar (Aug 13)
- RE: The impending DDoS storm Christopher Chin (Aug 14)
- RE: The impending DDoS storm Kevin Houle (Aug 14)
- Re: The impending DDoS storm Michael Painter (Aug 14)
- RE: The impending DDoS storm Darren Richer (Aug 14)