If the blaster cannot get a proper DNS response, it continues to replicate via port 135... It then goes into a retry cycle and continues to try to get a good DNS lookup. On Wed, 2003-08-13 at 12:25, Lloyd Taylor wrote:
Does anyone have any notion of what the Blaster worm will do if the DNS lookup for "windowsupdate.com" returns NXDOMAIN? If it handles this case by not sending any micreant love, might that not be the best way to mitigate the potential damage?
--Lloyd
On Wed, 13 Aug 2003, Jack Bates wrote:
Date: Wed, 13 Aug 2003 11:10:13 -0500 From: Jack Bates <jbates@brightok.net> To: Jason Frisvold <friz@corp.ptd.net> Cc: "Ingevaldson, Dan (ISS Atlanta)" <dsi@iss.net>, Stephen J. Wilcox <steve@telecomplete.co.uk>, nanog@merit.edu Subject: Re: The impending DDoS storm
On Wed, 2003-08-13 at 10:55, Ingevaldson, Dan (ISS Atlanta) wrote:
-Does one DNS lookup on "windowsupdate.com" and then uses the IP
No, I wouldn't dream of setting windowsupdate.com to 127.0.0.1. Who in their right mind would do that?
-Jack
--
Jason H. Frisvold Backbone Engineering Supervisor Penteledata Engineering friz@corp.ptd.net RedHat Engineer - RHCE # 807302349405893 Cisco Certified - CCNA # CSCO10151622 MySQL Core Certified - ID# 205982910 --------------------------- "Imagination is more important than knowledge. Knowledge is limited. Imagination encircles the world." -- Albert Einstein [1879-1955]