[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <1302.172.16.1.222.1060920056.squirrel@extranet.langeconsulting.com>
From: matthew.lange at langeconsulting.com (Matthew Lange)
Subject: DDos counter measures
FYI - we tried this with the worm and it *doesn't* work. msblast.exe
spoofed the source address as the loopback address handed out from our
DNS. We instead created an empty windowsupdate.com zone.
- Matt
> All,
>
> We found a simple solution to protect our IntraNet against the DDoS.
>
> Since the msblast.exe will SYN flood windowsupdate.com (or
> windowsupdate.microsoft.com) with 50 packets per second (according to our
> tests).
>
> Since our IntraNet solves all its DNS queries through internal caches
> (mandatory bottleneck), we created windowsupdate.com &
> windowsupdate.microsoft.com zones in this bottleneck DNS. These are
> resolving to 127.0.0.1 with DNS wildcards.
>
> After the Microsoft DNS TTL has expired (15 minutes is the worst TTL), we
> got confirm all known windowsupdate domains hosts (www.windowsupdate.com,
> windowsupdate.microsoft.com, v3.windowsupdate.microsoft.com &
> v4.windowsupdate.microsoft.com) were resolved to localhost.
>
> We expect now the worm to flood the box it is hosted on and so preserving
> our IntraNet.
>
> Hope this can help others.
>
> Brgrds
>
> Laurent LEVIER
> Equant Information Technology & Systems - Equant Security Organization -
> Internal Network (WAN IntraNet) - Systems & Networks Security Expert
> Tel. CVN : 7223-1912, ext. (+33) 4 92 38 19 12
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
--
Matthew Lange, CISSP
763-633-0100 home
Powered by blists - more mailing lists