But doesn't that mean the hacker won? If you change the DNS and a user can not get to windowsupdate, you just helped him create a better DoS than he had... J -----Original Message----- From: Lloyd Taylor [mailto:ltaylor@keynote.com] Sent: Wednesday, August 13, 2003 12:26 PM To: Jack Bates Cc: nanog@merit.edu Subject: Re: The impending DDoS storm Does anyone have any notion of what the Blaster worm will do if the DNS lookup for "windowsupdate.com" returns NXDOMAIN? If it handles this case by not sending any micreant love, might that not be the best way to mitigate the potential damage? --Lloyd On Wed, 13 Aug 2003, Jack Bates wrote:
Date: Wed, 13 Aug 2003 11:10:13 -0500 From: Jack Bates <jbates@brightok.net> To: Jason Frisvold <friz@corp.ptd.net> Cc: "Ingevaldson, Dan (ISS Atlanta)" <dsi@iss.net>, Stephen J. Wilcox <steve@telecomplete.co.uk>, nanog@merit.edu Subject: Re: The impending DDoS storm
On Wed, 2003-08-13 at 10:55, Ingevaldson, Dan (ISS Atlanta) wrote:
-Does one DNS lookup on "windowsupdate.com" and then uses the IP
No, I wouldn't dream of setting windowsupdate.com to 127.0.0.1. Who in their right mind would do that?
-Jack
--