Jack Bates Wrote:
I have no affiliation with Microsoft, nor do I care about their services or products. What I do care about is a worm that sends out packets uncontrolled. If there is the possibility that this "planned" DOS will cause issues with my topology, then I will do whatever it takes to stop it. The fact that user's can't reach windowsupdate.com is irrelevant.
There will most likely be issues with a lot of networks. I had a glimpse of what is to come on the 16th on Tuesday. We have a firewall customer that had an infected machine behind the firewall and the RTC clock was set incorrectly to 8/16. The firewall was *logging* ~50 attempts per second trying to connect on port 80 to windowsupdate.com. Since the worm was sending from a spoofed source address the firewall was denying the packets. This customers network is a /24 out of traditional Class B space and I was seeing random source addresses from almost every IP out of the /16. This is not a forensic analysis, just what I observed in the firewall logs. Is it a coincidence that 8/16 is a Saturday....I think not. A lot less personal on-site to deal with possible issues. -Mark Vallar