lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <3F3A4674.3030601@fulcrum.com.au>
From: brobson at fulcrum.com.au (Benjamin M.A. Robson)
Subject: MSBlast DDoS

This is almost right.  The packets should go straight to the firewall 
and out to the Internet, unless there is a device (such as the firewall 
itself) performing some sort of NAT redirect for the purposes of a 
transparent proxy.  If this is the case then the packets will be sent 
via the proxy, and if they are not properly formed HTTP commands (GET, 
HEAD, etc..) the proxy server should reject them as bogus.

So... If no transparent proxying, then straight out firewall.  If 
transparent proxying exists, then via proxy servers.

BenR.

Chris Eagle wrote:

>The DDoS packets should go straight to your firewall.  They are raw IP
>packets crafted with the windowsupdate.com ip address as the destination,
>not that of your proxy server, so they should be sent to your gateway
>device.  The source IP is randomized in various ways so probably won't
>appear to originate from within your network.  The source MAC should be
>traceable back to the infected machine however.
>
>Chris
>
>-----Original Message-----
>From: full-disclosure-admin@...ts.netsys.com
>[mailto:full-disclosure-admin@...ts.netsys.com]On Behalf Of Jasper
>Blackwell
>Sent: Wednesday, August 13, 2003 12:03 AM
>To: full-disclosure@...ts.netsys.com
>Subject: [Full-Disclosure] MSBlast DDoS
>
>
>Does anyone know if the DoS which works on port 80, according to the Eeye
>advisory, is going to go through the proxy servers or just straight to the
>firewall? I would guess it will go through the proxy servers.
>
>Also any clues what to look for on the firewall logs? Again if it goes
>through the proxy servers I suppose looking for a lot of traffic from our
>proxies to the windows update site, using TCP traffic.
>
>Jasp
>
>
>_______________________________________________
>Full-Disclosure - We believe in it.
>Charter: http://lists.netsys.com/full-disclosure-charter.html
>  
>


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ