RE: The impending DDoS storm
On Wed, 2003-08-13 at 10:55, Ingevaldson, Dan (ISS Atlanta) wrote:
More info:
-Opens a raw socket and spoofs its source address
It *appears* to us through current testing that the source address spoofed is always within the class of the current subnet... So, a spoofing filter that denies all but the local subnet may only be partially affective..
-Randomizes its source port, but destination is always TCP/80 -Does one DNS lookup on "windowsupdate.com" and then uses the IP returned -The window size is always 16384 (this might be useful)
It also looks like there is no throttling at all.. it abuses as much bandwidth as it possibly can...
Regards, =============================== Daniel Ingevaldson Engineering Manager, X-Force R&D dsi@iss.net 404-236-3160
Internet Security Systems, Inc. The Power to Protect http://www.iss.net ===============================
-----Original Message----- From: Jason Frisvold [mailto:friz@corp.ptd.net] Sent: Wednesday, August 13, 2003 10:50 AM To: Ingevaldson, Dan (ISS Atlanta) Cc: Stephen J. Wilcox; nanog@merit.edu Subject: RE: The impending DDoS storm
On Wed, 2003-08-13 at 10:14, Ingevaldson, Dan (ISS Atlanta) wrote:
It might be somewhat tricky to block TCP/80 going to windowsupdate.com.
I agree... but then, who needs updates anyways.. *grin*
Regards, =============================== Daniel Ingevaldson Engineering Manager, X-Force R&D dsi@iss.net 404-236-3160
Internet Security Systems, Inc. The Power to Protect http://www.iss.net ===============================
-----Original Message----- From: Stephen J. Wilcox [mailto:steve@telecomplete.co.uk] Sent: Wednesday, August 13, 2003 10:38 AM To: Jason Frisvold Cc: nanog@merit.edu Subject: Re: The impending DDoS storm
On Wed, 13 Aug 2003, Jason Frisvold wrote:
All,
What is everyone doing, if anything, to prevent the apparent upcoming DDoS attack against Microsoft? From what I've been reading, and what I've been told, August 16th is the apparent start date...
We're looking for some solution to prevent wasting our network resources transporting this traffic, but at the same time trying to allow legitimate through...
So, is anyone planning on doing anything?
See previous discussion on filtering...
Other than that experience says if these things turn out to be big enough to cause an issue then they quickly burn themselves out anyway
Steve
-- --------------------------- Jason H. Frisvold Backbone Engineering Supervisor Penteledata Engineering friz@corp.ptd.net RedHat Engineer - RHCE # 807302349405893 Cisco Certified - CCNA # CSCO10151622 MySQL Core Certified - ID# 205982910 --------------------------- "Imagination is more important than knowledge. Knowledge is limited. Imagination encircles the world." -- Albert Einstein [1879-1955]
On Wed, 2003-08-13 at 10:55, Ingevaldson, Dan (ISS Atlanta) wrote:
-Does one DNS lookup on "windowsupdate.com" and then uses the IP
No, I wouldn't dream of setting windowsupdate.com to 127.0.0.1. Who in their right mind would do that? -Jack
Does anyone have any notion of what the Blaster worm will do if the DNS lookup for "windowsupdate.com" returns NXDOMAIN? If it handles this case by not sending any micreant love, might that not be the best way to mitigate the potential damage? --Lloyd On Wed, 13 Aug 2003, Jack Bates wrote:
Date: Wed, 13 Aug 2003 11:10:13 -0500 From: Jack Bates <jbates@brightok.net> To: Jason Frisvold <friz@corp.ptd.net> Cc: "Ingevaldson, Dan (ISS Atlanta)" <dsi@iss.net>, Stephen J. Wilcox <steve@telecomplete.co.uk>, nanog@merit.edu Subject: Re: The impending DDoS storm
On Wed, 2003-08-13 at 10:55, Ingevaldson, Dan (ISS Atlanta) wrote:
-Does one DNS lookup on "windowsupdate.com" and then uses the IP
No, I wouldn't dream of setting windowsupdate.com to 127.0.0.1. Who in their right mind would do that?
-Jack
--
If the blaster cannot get a proper DNS response, it continues to replicate via port 135... It then goes into a retry cycle and continues to try to get a good DNS lookup. On Wed, 2003-08-13 at 12:25, Lloyd Taylor wrote:
Does anyone have any notion of what the Blaster worm will do if the DNS lookup for "windowsupdate.com" returns NXDOMAIN? If it handles this case by not sending any micreant love, might that not be the best way to mitigate the potential damage?
--Lloyd
On Wed, 13 Aug 2003, Jack Bates wrote:
Date: Wed, 13 Aug 2003 11:10:13 -0500 From: Jack Bates <jbates@brightok.net> To: Jason Frisvold <friz@corp.ptd.net> Cc: "Ingevaldson, Dan (ISS Atlanta)" <dsi@iss.net>, Stephen J. Wilcox <steve@telecomplete.co.uk>, nanog@merit.edu Subject: Re: The impending DDoS storm
On Wed, 2003-08-13 at 10:55, Ingevaldson, Dan (ISS Atlanta) wrote:
-Does one DNS lookup on "windowsupdate.com" and then uses the IP
No, I wouldn't dream of setting windowsupdate.com to 127.0.0.1. Who in their right mind would do that?
-Jack
--
Jason H. Frisvold Backbone Engineering Supervisor Penteledata Engineering friz@corp.ptd.net RedHat Engineer - RHCE # 807302349405893 Cisco Certified - CCNA # CSCO10151622 MySQL Core Certified - ID# 205982910 --------------------------- "Imagination is more important than knowledge. Knowledge is limited. Imagination encircles the world." -- Albert Einstein [1879-1955]
On Wed, 13 Aug 2003, Jason Frisvold wrote:
If the blaster cannot get a proper DNS response, it continues to replicate via port 135... It then goes into a retry cycle and continues to try to get a good DNS lookup.
has anyone tried tarpitting eg labrea to slow the worm? -Dan -- [-] Omae no subete no kichi wa ore no mono da. [-]
has anyone tried tarpitting eg labrea to slow the worm?
I have been using my Linux kernel module ipt_TARPIT (included in the latest netfilter.org patch-o-matic release) to do this for any IPs on my network lacking a route, including outbound from my customers and inbound to my unused address space. While it is trying to scan routeless IPs, the tarpit slows it down to scanning 20 IPs per ~9 minutes. (MSBlast has 20 connection slots, each apparently timing out after ~9 minutes.) It normally appears to have a several second connect timeout, so this slows it down by two orders of magnitude with a similar drop in network traffic. -- Aaron
Dan Hollis wrote:
On Wed, 13 Aug 2003, Jason Frisvold wrote:
If the blaster cannot get a proper DNS response, it continues to replicate via port 135... It then goes into a retry cycle and continues to try to get a good DNS lookup.
has anyone tried tarpitting eg labrea to slow the worm?
Oh yeah, LaBrea sticks 'em *REAL* good...
LaBrea::Tarpit SOURCE IP's 15223 total threads captured, from these 109 IP addresses
LaBrea makes it look like the exploit worked, and it hangs up the worm trying to send the command to 4444. Thread counts get as high as 2546 (as of now) which is 10x the subnet block where the tarpit lives. Had more like 30K threads until this morning when we had a power outage that outlived my small UPS so the numbers above are since ~9:30 EST this morning. Jeff
Since no one has brought it up yet, wouldn't it be just dandy if rev 2 of this worm attacked different stuff? Call it the perfect storm, RPC vulnerability used to whack infrastrcture. It doesn't take long to think of the perfect combinations since this thing was cut and pasted together.
participants (7)
-
Aaron Hopkins
-
Dan Hollis
-
Eric Germann
-
Jack Bates
-
Jason Frisvold
-
Jeff Kell
-
Lloyd Taylor