Sabri Berisha wrote:
On Fri, 20 Jul 2001, Jasper Wallace wrote:
According to a recent post on bugtraq the worm is going to switch from infecting webservers to DDOS'ing whitehouse.gov in about 1/2 an hour or so.
Knowing that some of the colocated boxes in our network *might* be infected; I have placed a nullroute for 198.137.240.92 (the IP www.whitehouse.gov resolves to).
Wrong IP to blackhole. Oops. I've copied the bugtraq post below for those of who are not subscribed, who might have missed it, or are overwhelmed.
On Thu, 19 Jul 2001, Laurence Hand wrote:
I believe the DDoS started an hour and a half ago, at 5:00 PDT (0:00 UTC, the next day). I was getting 5-10 attempts an hour, and I've had 0 since 4:43:29 PDT.
Folks will notice that www.whitehouse.gov is still accessible. The worm authors only put in one IP address, the one for www1.whitehouse.gov. BBN (who appears to be the provider for whitehouse.gov, according to my tracert) has blocked that single IP address at their peering points. So www2.whitehouse.gov is still running just fine.
Presumably, www.whitehouse.gov used to be RR DNS between the two. Now, www.whitehouse.gov resolves to just 198.137.240.92, and it has a TTL of only 872.
For a relatively clever worm, the author sure screwed up his target list. Whoops.
Best to change that nullroute to www1.whitehouse.gov, and let up on www2. Name: www1.whitehouse.gov Address: 198.137.240.91 Name: www2.whitehouse.gov Address: 198.137.240.92 -- Powered by Guiness. Feds never "take a vacation" from being a fed. Aj Effin ReznoR