lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <1060702308.16103.42.camel@gradius.office.cam.uk.worldpay.com>
From: james.greenhalgh at worldpay.com (James Greenhalgh)
Subject: [normal] RE: Windows Dcom Worm planned DDoS

Interesting solution, but it doesn't address a couple of possible
problems, firstly - how many hosts would they need?  Secondly - can
their link cope, no amount of front end victim boxes will help them
there - if you get to filter a packet, the bandwidth damage has already
been done.  All depends on whether or not the 15th is mass explosion, or
a cheap firework really.  I dont think M$ want the bad press of
poisoning the DNS until Christmas either ;)

As an aside, it was really about time that someone slapped them in the
face with something like this, that's visible enough for the suits to
notice.

james



On Tue, 2003-08-12 at 14:13, opticfiber wrote:
> Why not just setup a simple forward, that way all the traffic that would 
> normally be intended for the windows update site would be diverted to a 
> totally difrent host. See diagram below:
> 
> Normal Site
> 192.168.1.111(window update.com)
> 
> Setup to save M$ from  worm                     forward                
> Normal Site
> 192.168.1.111(windows.update.com)  ----------------->  
> 192.168.100.225(windows.offsite.update.com)
> 
> By using this setup, you can filter everything except  http requests. 
> Further more, it'd be relativly simple to setup a rotating pool of 
> difrent forwards to the main site. Meaning every time some one resolved 
> windowsupdate.com the name resolved to a difrent ip address that still 
> forwards to the main site. By using  this setup the ddos can be spread 
> out over several forwarding hosts and not even touch the main site.
> 
> 
> William Reyor
> TopSight - Discussions on computers and beyond
> http://www.topsight.net
> 
> Andrew Thomas wrote:
> 
> >>From: Chris Eagle [mailto:cseagle@...shift.com] 
> >>Sent: 12 August 2003 01:31
> >>Subject: RE: [Full-Disclosure] Windows Dcom Worm planned DDoS
> >>
> >>
> >>The IP is not hard coded.  It does a lookup on "windowsupdate.com"
> >>    
> >>
> >
> >Allowing the option for corporates and/or isp's to dns poison that
> >to resolve to 127.0.0.1, or even dns race with tools like team teso's
> >if one doesn't use internal/cacheing NS.
> >
> >Might save some traffic on 15 August. Alternative, route all traffic
> >to the resolved IP addresses to /dev/null, but with the above, the
> >traffic shouldn't even leave the machine in question.
> >
> >--
> >Andrew G. Thomas
> >Hobbs & Associates Chartered Accountants (SA)
> >(o) +27-(0)21-683-0500
> >(f) +27-(0)21-683-0577
> >(m) +27-(0)83-318-4070 
> >
> >_______________________________________________
> >Full-Disclosure - We believe in it.
> >Charter: http://lists.netsys.com/full-disclosure-charter.html
> >
> >
> >  
> >
> 
> 
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
-- 
James Greenhalgh <james.greenhalgh@...ldpay.com>


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ