lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <OF5CDA4B38.D2B01E07-ON88256D80.005BDB7A-88256D80.005CC4D8@forseon.com>
From: DStark at forseon.com (DStark@...seon.com)
Subject: [normal] RE: Windows Dcom Worm planned DDoS

The only time you could ever get a suit to notice anything is when their
printer stops working. I know just about everyone on this list may share my
setiments, but it's pretty crappy that People who don't care enough to know
about computers are in charge of people who do care. And for you lucky few
who do have a boss or 4 that actually know something about computers,
possibly even more than you, well then congrats.

</tuesday morning gripe>


- d





                                                                                                                        
                      James Greenhalgh                                                                                  
                      <james.greenhalgh@...ldpay.        To:       opticfiber <opticfiber@...sight.net>                 
                      com>                               cc:       full-disclosure@...ts.netsys.com                     
                      Sent by:                           Subject:  Re: [normal] RE: [Full-Disclosure] Windows Dcom Worm 
                      full-disclosure-admin@...ts         planned DDoS                                                  
                      .netsys.com                                                                                       
                                                                                                                        
                                                                                                                        
                      08/12/2003 08:31 AM                                                                               
                                                                                                                        
                                                                                                                        




Interesting solution, but it doesn't address a couple of possible
problems, firstly - how many hosts would they need?  Secondly - can
their link cope, no amount of front end victim boxes will help them
there - if you get to filter a packet, the bandwidth damage has already
been done.  All depends on whether or not the 15th is mass explosion, or
a cheap firework really.  I dont think M$ want the bad press of
poisoning the DNS until Christmas either ;)

As an aside, it was really about time that someone slapped them in the
face with something like this, that's visible enough for the suits to
notice.

james



On Tue, 2003-08-12 at 14:13, opticfiber wrote:
> Why not just setup a simple forward, that way all the traffic that would
> normally be intended for the windows update site would be diverted to a
> totally difrent host. See diagram below:
>
> Normal Site
> 192.168.1.111(window update.com)
>
> Setup to save M$ from  worm                     forward
> Normal Site
> 192.168.1.111(windows.update.com)  ----------------->
> 192.168.100.225(windows.offsite.update.com)
>
> By using this setup, you can filter everything except  http requests.
> Further more, it'd be relativly simple to setup a rotating pool of
> difrent forwards to the main site. Meaning every time some one resolved
> windowsupdate.com the name resolved to a difrent ip address that still
> forwards to the main site. By using  this setup the ddos can be spread
> out over several forwarding hosts and not even touch the main site.
>
>
> William Reyor
> TopSight - Discussions on computers and beyond
> http://www.topsight.net
>
> Andrew Thomas wrote:
>
> >>From: Chris Eagle [mailto:cseagle@...shift.com]
> >>Sent: 12 August 2003 01:31
> >>Subject: RE: [Full-Disclosure] Windows Dcom Worm planned DDoS
> >>
> >>
> >>The IP is not hard coded.  It does a lookup on "windowsupdate.com"
> >>
> >>
> >
> >Allowing the option for corporates and/or isp's to dns poison that
> >to resolve to 127.0.0.1, or even dns race with tools like team teso's
> >if one doesn't use internal/cacheing NS.
> >
> >Might save some traffic on 15 August. Alternative, route all traffic
> >to the resolved IP addresses to /dev/null, but with the above, the
> >traffic shouldn't even leave the machine in question.
> >
> >--
> >Andrew G. Thomas
> >Hobbs & Associates Chartered Accountants (SA)
> >(o) +27-(0)21-683-0500
> >(f) +27-(0)21-683-0577
> >(m) +27-(0)83-318-4070
> >
> >_______________________________________________
> >Full-Disclosure - We believe in it.
> >Charter: http://lists.netsys.com/full-disclosure-charter.html
> >
> >
> >
> >
>
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
--
James Greenhalgh <james.greenhalgh@...ldpay.com>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ