On Wed, 2003-08-13 at 10:55, Ingevaldson, Dan (ISS Atlanta) wrote:
More info:
-Opens a raw socket and spoofs its source address
It *appears* to us through current testing that the source address spoofed is always within the class of the current subnet... So, a spoofing filter that denies all but the local subnet may only be partially affective..
-Randomizes its source port, but destination is always TCP/80 -Does one DNS lookup on "windowsupdate.com" and then uses the IP returned -The window size is always 16384 (this might be useful)
It also looks like there is no throttling at all.. it abuses as much bandwidth as it possibly can...
Regards, =============================== Daniel Ingevaldson Engineering Manager, X-Force R&D dsi@iss.net 404-236-3160
Internet Security Systems, Inc. The Power to Protect http://www.iss.net ===============================
-----Original Message----- From: Jason Frisvold [mailto:friz@corp.ptd.net] Sent: Wednesday, August 13, 2003 10:50 AM To: Ingevaldson, Dan (ISS Atlanta) Cc: Stephen J. Wilcox; nanog@merit.edu Subject: RE: The impending DDoS storm
On Wed, 2003-08-13 at 10:14, Ingevaldson, Dan (ISS Atlanta) wrote:
It might be somewhat tricky to block TCP/80 going to windowsupdate.com.
I agree... but then, who needs updates anyways.. *grin*
Regards, =============================== Daniel Ingevaldson Engineering Manager, X-Force R&D dsi@iss.net 404-236-3160
Internet Security Systems, Inc. The Power to Protect http://www.iss.net ===============================
-----Original Message----- From: Stephen J. Wilcox [mailto:steve@telecomplete.co.uk] Sent: Wednesday, August 13, 2003 10:38 AM To: Jason Frisvold Cc: nanog@merit.edu Subject: Re: The impending DDoS storm
On Wed, 13 Aug 2003, Jason Frisvold wrote:
All,
What is everyone doing, if anything, to prevent the apparent upcoming DDoS attack against Microsoft? From what I've been reading, and what I've been told, August 16th is the apparent start date...
We're looking for some solution to prevent wasting our network resources transporting this traffic, but at the same time trying to allow legitimate through...
So, is anyone planning on doing anything?
See previous discussion on filtering...
Other than that experience says if these things turn out to be big enough to cause an issue then they quickly burn themselves out anyway
Steve
-- --------------------------- Jason H. Frisvold Backbone Engineering Supervisor Penteledata Engineering friz@corp.ptd.net RedHat Engineer - RHCE # 807302349405893 Cisco Certified - CCNA # CSCO10151622 MySQL Core Certified - ID# 205982910 --------------------------- "Imagination is more important than knowledge. Knowledge is limited. Imagination encircles the world." -- Albert Einstein [1879-1955]