Has anyone determined a method for triggering the DOS attack manually? We've attempted this by changing an infected machine's clock, however it did not work on our test box. If anyone has triggered the attack, do you have a copy of the sniffed data stream? It sounds like uRPF is going to be of very little benefit to blocking the attack if the spoofed addresses come from the infected host's subnet/parent subnet. -Josh -----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of Mark Vallar Sent: Wednesday, August 13, 2003 7:18 PM To: nanog@merit.edu Subject: Re: The impending DDoS storm Jack Bates Wrote:
I have no affiliation with Microsoft, nor do I care about their services or products. What I do care about is a worm that sends out packets uncontrolled. If there is the possibility that this "planned" DOS will cause issues with my topology, then I will do whatever it takes to stop it. The fact that user's can't reach windowsupdate.com is irrelevant.
There will most likely be issues with a lot of networks. I had a glimpse of what is to come on the 16th on Tuesday. We have a firewall customer that had an infected machine behind the firewall and the RTC clock was set incorrectly to 8/16. The firewall was *logging* ~50 attempts per second trying to connect on port 80 to windowsupdate.com. Since the worm was sending from a spoofed source address the firewall was denying the packets. This customers network is a /24 out of traditional Class B space and I was seeing random source addresses from almost every IP out of the /16. This is not a forensic analysis, just what I observed in the firewall logs. Is it a coincidence that 8/16 is a Saturday....I think not. A lot less personal on-site to deal with possible issues. -Mark Vallar
Today at 11:24 (-0400), Josh Fleishman wrote:
Date: Thu, 14 Aug 2003 11:24:53 -0400 From: Josh Fleishman <flyman2@corp.earthlink.net> To: nanog@merit.edu Subject: RE: The impending DDoS storm
Has anyone determined a method for triggering the DOS attack manually? We've attempted this by changing an infected machine's clock, however it did not work on our test box. If anyone has triggered the attack, do you have a copy of the sniffed data stream?
Josh, Have you tried rebooting the infected box? Apparently, the date check and decision to DoS or infect others comes early on in the code and is not rechecked. - Christopher ======================
--On Thursday, August 14, 2003 11:24:53 AM -0400 Josh Fleishman <flyman2@corp.earthlink.net> wrote:
Has anyone determined a method for triggering the DOS attack manually? We've attempted this by changing an infected machine's clock, however it did not work on our test box. If anyone has triggered the attack, do you have a copy of the sniffed data stream?
The code looks at the clock once at startup. Once the code is running, it does not appear to recheck the clock. Set your clock prior to running the test. Kevin
http://www.dslreports.com/forum/remark,7652257~root=security,1~mode=flat;sta... ----- Original Message ----- From: "Josh Fleishman" <flyman2@corp.earthlink.net> To: <nanog@merit.edu> Sent: Thursday, August 14, 2003 5:24 AM Subject: RE: The impending DDoS storm
Has anyone determined a method for triggering the DOS attack manually? We've attempted this by changing an infected machine's clock, however it did not work on our test box. If anyone has triggered the attack, do you have a copy of the sniffed data stream?
It sounds like uRPF is going to be of very little benefit to blocking the attack if the spoofed addresses come from the infected host's subnet/parent subnet.
-Josh
-----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of Mark Vallar Sent: Wednesday, August 13, 2003 7:18 PM To: nanog@merit.edu Subject: Re: The impending DDoS storm
Jack Bates Wrote:
I have no affiliation with Microsoft, nor do I care about their services or products. What I do care about is a worm that sends out packets uncontrolled. If there is the possibility that this "planned" DOS will cause issues with my topology, then I will do whatever it takes to stop it. The fact that user's can't reach windowsupdate.com is irrelevant.
There will most likely be issues with a lot of networks.
I had a glimpse of what is to come on the 16th on Tuesday. We have a firewall customer that had an infected machine behind the firewall and the RTC clock was set incorrectly to 8/16. The firewall was *logging* ~50 attempts per second trying to connect on port 80 to windowsupdate.com. Since the worm was sending from a spoofed source address the firewall was denying the packets. This customers network is a /24 out of traditional Class B space and I was seeing random source addresses from almost every IP out of the /16.
This is not a forensic analysis, just what I observed in the firewall logs.
Is it a coincidence that 8/16 is a Saturday....I think not. A lot less personal on-site to deal with possible issues.
-Mark Vallar
Assuming cable operators have enabled: cable source-verify or cable source-verify dhcp for Cisco IOS based CMTSes, spoofing in the same subnet will be dropped at the CMTS. Other vendors have similar features to mitigate this possibility. The worst a cable operator would likely from this see is some upstream saturation since the packets aren't dropped until the CMTS. D. --- Darren Richer Director of Telecommunications Persona Communications Inc. -----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu]On Behalf Of Michael Painter Sent: August 14, 2003 2:16 PM To: flyman2@corp.earthlink.net; nanog@merit.edu Subject: Re: The impending DDoS storm http://www.dslreports.com/forum/remark,7652257~root=security,1~mode=flat;sta rt=0 ----- Original Message ----- From: "Josh Fleishman" <flyman2@corp.earthlink.net> To: <nanog@merit.edu> Sent: Thursday, August 14, 2003 5:24 AM Subject: RE: The impending DDoS storm
Has anyone determined a method for triggering the DOS attack manually? We've attempted this by changing an infected machine's clock, however it did not work on our test box. If anyone has triggered the attack, do you have a copy of the sniffed data stream?
It sounds like uRPF is going to be of very little benefit to blocking the attack if the spoofed addresses come from the infected host's subnet/parent subnet.
-Josh
-----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of Mark Vallar Sent: Wednesday, August 13, 2003 7:18 PM To: nanog@merit.edu Subject: Re: The impending DDoS storm
Jack Bates Wrote:
I have no affiliation with Microsoft, nor do I care about their services or products. What I do care about is a worm that sends out packets uncontrolled. If there is the possibility that this "planned" DOS will cause issues with my topology, then I will do whatever it takes to stop it. The fact that user's can't reach windowsupdate.com is irrelevant.
There will most likely be issues with a lot of networks.
I had a glimpse of what is to come on the 16th on Tuesday. We have a firewall customer that had an infected machine behind the firewall and the RTC clock was set incorrectly to 8/16. The firewall was *logging* ~50 attempts per second trying to connect on port 80 to windowsupdate.com. Since the worm was sending from a spoofed source address the firewall was denying the packets. This customers network is a /24 out of traditional Class B space and I was seeing random source addresses from almost every IP out of the /16.
This is not a forensic analysis, just what I observed in the firewall logs.
Is it a coincidence that 8/16 is a Saturday....I think not. A lot less personal on-site to deal with possible issues.
-Mark Vallar
participants (5)
-
Christopher Chin
-
Darren Richer
-
Josh Fleishman
-
Kevin Houle
-
Michael Painter