Interesting interaction between Blaster worm variants and Verisign DNS change
I think that an interesting interaction involving: 1) Blaster worm DDoS attack against windows update. 2) The default action of Windows 2000 and XP computers to automatically append the domain name under "Network Identification" or the suffix search list to DNS lookups. 3) The number of non-existent domains that exist in the above settings. 4) The change that Verisign made so that all non-existent domains resolve to 64.94.110.11 is the cause of the DDoS attack that Verisign is experiencing. It is simple to reproduce 2-4. Reconfigure any Windows 2000 computer or XP computer so that its domain name does not exist or so that the first domain name in its domain suffix search order does not exist and then do an nslookup. It will append the domain you added to your lookup and the result of the lookup will be 64.94.110.11 if the domain you added does not exist. All that is needed next is a machine satisfying this condition to have a variant of the Blaster worm that is performing its DDoS against windowsupdate.com. It will instead sends its traffic to 64.94.110.11. In a network of roughly 30,000 computers we have had 2 with this combination of troubles already. Jeremy Powell San Bernardino County Superintendent of Schools _________________________________________________________________________________ Statement of Confidentiality: The contents of this e-mail message and any attachments are intended solely for the addressee. The information may also be confidential and/or legally privileged. This transmission is sent for the sole purpose of delivery to the intended recipient. If you have received this transmission in error, any use, reproduction, or dissemination of this transmission is strictly prohibited. If you are not the intended recipient, please immediately notify the sender by reply e-mail, send a copy to postmaster@sbcss.k12.ca.us and delete this message and its attachments, if any. E-mail is covered by the Electronic Communications Privacy Act, 18 USC SS 2510-2521 and is legally privileged. Date Sent (d/m/yy): 18/9/2003 - Sender: Jeremy_Powell@sbcss.k12.ca.us
participants (1)
-
Jeremy_Powell@sbcss.k12.ca.us