But doesn't that mean the hacker won? If you change the DNS and a user can not get to windowsupdate, you just helped him create a better DoS than he had... J -----Original Message----- From: Lloyd Taylor [mailto:ltaylor@keynote.com] Sent: Wednesday, August 13, 2003 12:26 PM To: Jack Bates Cc: nanog@merit.edu Subject: Re: The impending DDoS storm Does anyone have any notion of what the Blaster worm will do if the DNS lookup for "windowsupdate.com" returns NXDOMAIN? If it handles this case by not sending any micreant love, might that not be the best way to mitigate the potential damage? --Lloyd On Wed, 13 Aug 2003, Jack Bates wrote:
Date: Wed, 13 Aug 2003 11:10:13 -0500 From: Jack Bates <jbates@brightok.net> To: Jason Frisvold <friz@corp.ptd.net> Cc: "Ingevaldson, Dan (ISS Atlanta)" <dsi@iss.net>, Stephen J. Wilcox <steve@telecomplete.co.uk>, nanog@merit.edu Subject: Re: The impending DDoS storm
On Wed, 2003-08-13 at 10:55, Ingevaldson, Dan (ISS Atlanta) wrote:
-Does one DNS lookup on "windowsupdate.com" and then uses the IP
No, I wouldn't dream of setting windowsupdate.com to 127.0.0.1. Who in their right mind would do that?
-Jack
--
McBurnett, Jim wrote:
But doesn't that mean the hacker won? If you change the DNS and a user can not get to windowsupdate, you just helped him create a better DoS than he had...
I have no affiliation with Microsoft, nor do I care about their services or products. What I do care about is a worm that sends out packets uncontrolled. If there is the possibility that this "planned" DOS will cause issues with my topology, then I will do whatever it takes to stop it. The fact that user's can't reach windowsupdate.com is irrelevant. -Jack
Jack Bates Wrote:
I have no affiliation with Microsoft, nor do I care about their services or products. What I do care about is a worm that sends out packets uncontrolled. If there is the possibility that this "planned" DOS will cause issues with my topology, then I will do whatever it takes to stop it. The fact that user's can't reach windowsupdate.com is irrelevant.
There will most likely be issues with a lot of networks. I had a glimpse of what is to come on the 16th on Tuesday. We have a firewall customer that had an infected machine behind the firewall and the RTC clock was set incorrectly to 8/16. The firewall was *logging* ~50 attempts per second trying to connect on port 80 to windowsupdate.com. Since the worm was sending from a spoofed source address the firewall was denying the packets. This customers network is a /24 out of traditional Class B space and I was seeing random source addresses from almost every IP out of the /16. This is not a forensic analysis, just what I observed in the firewall logs. Is it a coincidence that 8/16 is a Saturday....I think not. A lot less personal on-site to deal with possible issues. -Mark Vallar
participants (3)
-
Jack Bates
-
Mark Vallar
-
McBurnett, Jim