Code Red : Any whitehouse.gov people around?
According to a recent post on bugtraq the worm is going to switch from infecting webservers to DDOS'ing whitehouse.gov in about 1/2 an hour or so. Now i'm not certain if the worm has a hardcoded ip to attack or will do a DNS lookup for whitehouse.gov, but if it is going to do a dns lookup then they've still got a chance to change the A records in their dns records to something else, like 127.0.0.1. Unfortunatly this will make it hard for people to track down and fix infected boxes, so if they could use an ip in a non-routable block, that's unlickley to be used for anything else, e.g. 192.0.2.1, which in on the 'TEST-NET', or possible on 192.0.0.1, which is on the range HP use for printer auto configuration (they only use 192.0.0.192). The TTL on the A RR for whitehouse.gov is 24 hours unfortunatly. :-( -- Internet Vision Internet Consultancy Tel: 020 7589 4500 60 Albert Court & Web development Fax: 020 7589 4522 Prince Consort Road vision@ivision.co.uk London SW7 2BE http://www.ivision.co.uk/
On Fri, 20 Jul 2001, Jasper Wallace wrote:
According to a recent post on bugtraq the worm is going to switch from infecting webservers to DDOS'ing whitehouse.gov in about 1/2 an hour or so.
Knowing that some of the colocated boxes in our network *might* be infected; I have placed a nullroute for 198.137.240.92 (the IP www.whitehouse.gov resolves to). Just a thought. -- /* Sabri Berisha CCNA,BOFH,+iO O.O speaking for just myself * Join HAL!!: www.HAL2001.org ____oOo_U_oOo____ http://www.bit.nl/~sabri * "We deliver quality services, we just can't get it on the internet" * Anonymous sysadmin - on IRC */
Sabri Berisha wrote:
On Fri, 20 Jul 2001, Jasper Wallace wrote:
According to a recent post on bugtraq the worm is going to switch from infecting webservers to DDOS'ing whitehouse.gov in about 1/2 an hour or so.
Knowing that some of the colocated boxes in our network *might* be infected; I have placed a nullroute for 198.137.240.92 (the IP www.whitehouse.gov resolves to).
Wrong IP to blackhole. Oops. I've copied the bugtraq post below for those of who are not subscribed, who might have missed it, or are overwhelmed.
On Thu, 19 Jul 2001, Laurence Hand wrote:
I believe the DDoS started an hour and a half ago, at 5:00 PDT (0:00 UTC, the next day). I was getting 5-10 attempts an hour, and I've had 0 since 4:43:29 PDT.
Folks will notice that www.whitehouse.gov is still accessible. The worm authors only put in one IP address, the one for www1.whitehouse.gov. BBN (who appears to be the provider for whitehouse.gov, according to my tracert) has blocked that single IP address at their peering points. So www2.whitehouse.gov is still running just fine.
Presumably, www.whitehouse.gov used to be RR DNS between the two. Now, www.whitehouse.gov resolves to just 198.137.240.92, and it has a TTL of only 872.
For a relatively clever worm, the author sure screwed up his target list. Whoops.
Best to change that nullroute to www1.whitehouse.gov, and let up on www2. Name: www1.whitehouse.gov Address: 198.137.240.91 Name: www2.whitehouse.gov Address: 198.137.240.92 -- Powered by Guiness. Feds never "take a vacation" from being a fed. Aj Effin ReznoR
participants (3)
-
Etaoin Shrdlu -
Jasper Wallace -
Sabri Berisha