[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <1060702308.16103.42.camel@gradius.office.cam.uk.worldpay.com>
From: james.greenhalgh at worldpay.com (James Greenhalgh)
Subject: [normal] RE: Windows Dcom Worm planned DDoS
Interesting solution, but it doesn't address a couple of possible
problems, firstly - how many hosts would they need? Secondly - can
their link cope, no amount of front end victim boxes will help them
there - if you get to filter a packet, the bandwidth damage has already
been done. All depends on whether or not the 15th is mass explosion, or
a cheap firework really. I dont think M$ want the bad press of
poisoning the DNS until Christmas either ;)
As an aside, it was really about time that someone slapped them in the
face with something like this, that's visible enough for the suits to
notice.
james
On Tue, 2003-08-12 at 14:13, opticfiber wrote:
> Why not just setup a simple forward, that way all the traffic that would
> normally be intended for the windows update site would be diverted to a
> totally difrent host. See diagram below:
>
> Normal Site
> 192.168.1.111(window update.com)
>
> Setup to save M$ from worm forward
> Normal Site
> 192.168.1.111(windows.update.com) ----------------->
> 192.168.100.225(windows.offsite.update.com)
>
> By using this setup, you can filter everything except http requests.
> Further more, it'd be relativly simple to setup a rotating pool of
> difrent forwards to the main site. Meaning every time some one resolved
> windowsupdate.com the name resolved to a difrent ip address that still
> forwards to the main site. By using this setup the ddos can be spread
> out over several forwarding hosts and not even touch the main site.
>
>
> William Reyor
> TopSight - Discussions on computers and beyond
> http://www.topsight.net
>
> Andrew Thomas wrote:
>
> >>From: Chris Eagle [mailto:cseagle@...shift.com]
> >>Sent: 12 August 2003 01:31
> >>Subject: RE: [Full-Disclosure] Windows Dcom Worm planned DDoS
> >>
> >>
> >>The IP is not hard coded. It does a lookup on "windowsupdate.com"
> >>
> >>
> >
> >Allowing the option for corporates and/or isp's to dns poison that
> >to resolve to 127.0.0.1, or even dns race with tools like team teso's
> >if one doesn't use internal/cacheing NS.
> >
> >Might save some traffic on 15 August. Alternative, route all traffic
> >to the resolved IP addresses to /dev/null, but with the above, the
> >traffic shouldn't even leave the machine in question.
> >
> >--
> >Andrew G. Thomas
> >Hobbs & Associates Chartered Accountants (SA)
> >(o) +27-(0)21-683-0500
> >(f) +27-(0)21-683-0577
> >(m) +27-(0)83-318-4070
> >
> >_______________________________________________
> >Full-Disclosure - We believe in it.
> >Charter: http://lists.netsys.com/full-disclosure-charter.html
> >
> >
> >
> >
>
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
--
James Greenhalgh <james.greenhalgh@...ldpay.com>
Powered by blists - more mailing lists