[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <3F38E7F0.6050309@topsight.net>
From: opticfiber at topsight.net (opticfiber)
Subject: [normal] RE: Windows Dcom Worm planned DDoS
Why not just setup a simple forward, that way all the traffic that would
normally be intended for the windows update site would be diverted to a
totally difrent host. See diagram below:
Normal Site
192.168.1.111(window update.com)
Setup to save M$ from worm forward
Normal Site
192.168.1.111(windows.update.com) ----------------->
192.168.100.225(windows.offsite.update.com)
By using this setup, you can filter everything except http requests.
Further more, it'd be relativly simple to setup a rotating pool of
difrent forwards to the main site. Meaning every time some one resolved
windowsupdate.com the name resolved to a difrent ip address that still
forwards to the main site. By using this setup the ddos can be spread
out over several forwarding hosts and not even touch the main site.
William Reyor
TopSight - Discussions on computers and beyond
http://www.topsight.net
Andrew Thomas wrote:
>>From: Chris Eagle [mailto:cseagle@...shift.com]
>>Sent: 12 August 2003 01:31
>>Subject: RE: [Full-Disclosure] Windows Dcom Worm planned DDoS
>>
>>
>>The IP is not hard coded. It does a lookup on "windowsupdate.com"
>>
>>
>
>Allowing the option for corporates and/or isp's to dns poison that
>to resolve to 127.0.0.1, or even dns race with tools like team teso's
>if one doesn't use internal/cacheing NS.
>
>Might save some traffic on 15 August. Alternative, route all traffic
>to the resolved IP addresses to /dev/null, but with the above, the
>traffic shouldn't even leave the machine in question.
>
>--
>Andrew G. Thomas
>Hobbs & Associates Chartered Accountants (SA)
>(o) +27-(0)21-683-0500
>(f) +27-(0)21-683-0577
>(m) +27-(0)83-318-4070
>
>_______________________________________________
>Full-Disclosure - We believe in it.
>Charter: http://lists.netsys.com/full-disclosure-charter.html
>
>
>
>
Powered by blists - more mailing lists