lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <MKEAIJIPCGAHEFEJGDOCKEKCLJAA.marc@eeye.com>
From: marc at eeye.com (Marc Maiffret)
Subject: msblast DDos counter measures

Yah this has been mentioned a few times although I am not sure why your
blackhole windowsupdate.microsoft.com therefore keeping machines from using
windows update to get patches. the worm only hits windowsupdate.com itself
so you only need to 127.0.0.1 that. unless I am missing something, like your
just wanting to be overly paranoid or something?

Signed,
Marc Maiffret
Chief Hacking Officer
eEye Digital Security
T.949.349.9062
F.949.349.9538
http://eEye.com/Retina - Network Security Scanner
http://eEye.com/Iris - Network Traffic Analyzer
http://eEye.com/SecureIIS - Stop known and unknown IIS vulnerabilities

| -----Original Message-----
| From: full-disclosure-admin@...ts.netsys.com
| [mailto:full-disclosure-admin@...ts.netsys.com]On Behalf Of B3r3n
| Sent: Thursday, August 14, 2003 11:10 AM
| To: full-disclosure@...ts.netsys.com
| Subject: [Full-Disclosure] msblast DDos counter measures
|
|
| All,
|
| We found a simple solution to protect our IntraNet against the DDoS.
|
| Since the msblast.exe will SYN flood windowsupdate.com (or
| windowsupdate.microsoft.com) with 50 packets per second (according to our
| tests).
|
| Since our IntraNet solves all its DNS queries through internal caches
| (mandatory bottleneck), we created windowsupdate.com &
| windowsupdate.microsoft.com zones in this bottleneck DNS. These are
| resolving to 127.0.0.1 with DNS wildcards.
|
| After the Microsoft DNS TTL has expired (15 minutes is the worst TTL), we
| got confirm all known windowsupdate domains hosts (www.windowsupdate.com,
| windowsupdate.microsoft.com, v3.windowsupdate.microsoft.com &
| v4.windowsupdate.microsoft.com) were resolved to localhost.
|
| We expect now the worm to flood the box it is hosted on and so preserving
| our IntraNet.
|
| Hope this can help others.
|
| Brgrds
|
| Laurent LEVIER
| Equant Information Technology & Systems - Equant Security Organization -
| Internal Network (WAN IntraNet) - Systems & Networks Security Expert
| Tel. CVN : 7223-1912, ext. (+33) 4 92 38 19 12
|
|
| _______________________________________________
| Full-Disclosure - We believe in it.
| Charter: http://lists.netsys.com/full-disclosure-charter.html
|


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ