Impending (mydoom) DOS attack
Is anyone taking any special precautions given the potential for a sudden increase in aggregate packets per second across your networks come Sunday afternoon when the original Mydoom virus enters into its DOS phase? Does anyone know if the virus' assault will be slowed if it is unable to reach www.sco.com? I am hoping that if it cannot reach SCO's site that the HTTP GET command will be slow in returning, effectively reducing the volume of traffic a single PC is capable is generating. I am having a difficult time artificially forcing the virus to start its attack in a lab environment, so I am unable to confirm this. Any input would be appreciated. Thanks!
I believe the only route to SCO comes via us, XO, to a customer of ours who provides bandwidth to SCO. We've been in contact with our customer and they have been in contact with SCO, discussing precautions we can take. I think we're relaying the results of those discussions to our major peers. Since I'm not directly involved, I will say no more...but at least you know we are trying to do something.. :) I would gather that you are correct in that if SCO's site cannot be reached.. in a way that connections have to 'time out', it would reduce the volume of traffic and the rate of packets. Windows would be waiting for the SYN ACK and not looping very quickly.. - Chris -- Chris Behrens Senior Software Architect XO Communications On Fri, Jan 30, 2004 at 04:18:03PM -0500, bcm wrote:
Is anyone taking any special precautions given the potential for a sudden increase in aggregate packets per second across your networks come Sunday afternoon when the original Mydoom virus enters into its DOS phase?
Does anyone know if the virus' assault will be slowed if it is unable to reach www.sco.com? I am hoping that if it cannot reach SCO's site that the HTTP GET command will be slow in returning, effectively reducing the volume of traffic a single PC is capable is generating. I am having a difficult time artificially forcing the virus to start its attack in a lab environment, so I am unable to confirm this.
Any input would be appreciated. Thanks!
Having looked for some information to educate myself and my employer, I will say a weakness right now is that there is limited info about this worm. I have yet to see any good information on how effective the attack might be, or what some basic prevention steps (eg filtering) might do to the worm. Backbones don't often have people that disassemble worms. It would be nice to find some way for the anti-virus companies to share more details quicker with various backbones in order to effectively combat the DDOS portion of worms. If anyone has any good analysis on the current worm (other than "it attacks www.sco.com"), that would be welcome. -- Leo Bicknell - bicknell@ufp.org - CCIE 3440 PGP keys at http://www.ufp.org/~bicknell/ Read TMBG List - tmbg-list-request@tmbg.org, www.tmbg.org
On Fri, 30 Jan 2004, Leo Bicknell wrote:
If anyone has any good analysis on the current worm (other than "it attacks www.sco.com"), that would be welcome.
Yep, the information gap is pretty big on this one. Neither the anti-virus vendors nor the ex-Symantec guy at Homeland Security seems to be releasing much details how the virus actually behaves on the network. Lots of information about changing Windows registries, but not much about how often it checks or loads the network. Some people say they've gotten it to do something in the lab, other people report its a dud. I can't tell what the difference is.
Are there any reliable estimates as to the amount of infected hosts out there? Looking at my stats for email sent this week, I am seeing a 70:1 ratio for mydoom.a as compared to Swen.a (the next most prevalent virus). Perhaps if we had some rough #s to work with we could start to approximate the range of traffic volumes we might see. ---Mike At 07:17 PM 30/01/2004, Leo Bicknell wrote:
Having looked for some information to educate myself and my employer, I will say a weakness right now is that there is limited info about this worm. I have yet to see any good information on how effective the attack might be, or what some basic prevention steps (eg filtering) might do to the worm.
Backbones don't often have people that disassemble worms. It would be nice to find some way for the anti-virus companies to share more details quicker with various backbones in order to effectively combat the DDOS portion of worms.
If anyone has any good analysis on the current worm (other than "it attacks www.sco.com"), that would be welcome.
-- Leo Bicknell - bicknell@ufp.org - CCIE 3440 PGP keys at http://www.ufp.org/~bicknell/ Read TMBG List - tmbg-list-request@tmbg.org, www.tmbg.org
On Fri, 30 Jan 2004, Mike Tancsa wrote:
Are there any reliable estimates as to the amount of infected hosts out there? Looking at my stats for email sent this week, I am seeing a 70:1 ratio for mydoom.a as compared to Swen.a (the next most prevalent virus). Perhaps if we had some rough #s to work with we could start to approximate the range of traffic volumes we might see.
Reliable? Not really. McAfee's global virus statistics say 17% of all scanned computers were infected by W32/Mydoom.a. But I don't believe that number, because it is wildly different than other metrics. A lot of users have experienced the MyDoom file being on their computer (e.g. through a mail message). But I don't think that represents the number of people which clicked and executed the file, infecting their computer.
On Friday 30 January 2004 01:18 pm, bcm wrote:
Is anyone taking any special precautions given the potential for a sudden increase in aggregate packets per second across your networks come Sunday afternoon when the original Mydoom virus enters into its DOS phase?
Does anyone know if the virus' assault will be slowed if it is unable to reach www.sco.com? I am hoping that if it cannot reach SCO's site that the HTTP GET command will be slow in returning, effectively reducing the volume of traffic a single PC is capable is generating. I am having a difficult time artificially forcing the virus to start its attack in a lab environment, so I am unable to confirm this.
Any input would be appreciated. Thanks!
I think we should help out SCO by creating new wildcard entries into our DNS servers that point *.sco.com to 127.0.0.1 as well as blackholing all SCO SWIPd IP Address Space. <a****le mode> We should also never remove the above. </a****le mode> -- Donovan Hill Electronics Engineering Technologist, CCNA www.lazyeyez.net, www.gwsn.com
In a message written on Fri, Jan 30, 2004 at 04:18:05PM -0800, Donovan Hill wrote:
I think we should help out SCO by creating new wildcard entries into our DNS servers that point *.sco.com to 127.0.0.1 as well as blackholing all SCO SWIPd IP Address Space.
I'm going to be one of the last people who will defend SCO recent actions. However, as much as I hate, and hate is the word, SCO I feel the need to speak up after your comments. Bruce Perens has said it far better than I ever could at http://perens.com/SCO/DOS/. Please read what he has to say. We (Open Source, ISPs, etc) must, MUST, come to SCO's defense on this one. I am doing what I can with my employer to do just that. Allowing attacks like this to succeed, either directly or indirectly is far more harmful than allowing SCO to stay online. We cannot condone these actions for any reason, the end does not justify the means in the case of worms. -- Leo Bicknell - bicknell@ufp.org - CCIE 3440 PGP keys at http://www.ufp.org/~bicknell/ Read TMBG List - tmbg-list-request@tmbg.org, www.tmbg.org
Leo Bicknell wrote:
Bruce Perens has said it far better than I ever could at http://perens.com/SCO/DOS/. Please read what he has to say.
We (Open Source, ISPs, etc) must, MUST, come to SCO's defense on this one. I am doing what I can with my employer to do just that.
I agree both with Mr. Bicknell, and with Mr. Perens for the reasons given. I believe further that condemning this attack and doing what we can to thwart it are simply the right things to do.
Allowing attacks like this to succeed, either directly or indirectly is far more harmful than allowing SCO to stay online. We cannot condone these actions for any reason, the end does not justify the means in the case of worms.
On Friday 30 January 2004 04:39 pm, Leo Bicknell wrote:
In a message written on Fri, Jan 30, 2004 at 04:18:05PM -0800, Donovan Hill wrote:
I think we should help out SCO by creating new wildcard entries into our DNS servers that point *.sco.com to 127.0.0.1 as well as blackholing all SCO SWIPd IP Address Space.
I'm going to be one of the last people who will defend SCO recent actions. However, as much as I hate, and hate is the word, SCO I feel the need to speak up after your comments.
Bruce Perens has said it far better than I ever could at http://perens.com/SCO/DOS/. Please read what he has to say.
We (Open Source, ISPs, etc) must, MUST, come to SCO's defense on this one. I am doing what I can with my employer to do just that. Allowing attacks like this to succeed, either directly or indirectly is far more harmful than allowing SCO to stay online. We cannot condone these actions for any reason, the end does not justify the means in the case of worms.
Please don't misunderstand me. I in no way condone or encourage DoS attacking SCO/Caldera (or anyone for that matter). To my mind, that'd be like encouraging one group of people to attack another group of people for any reason. It's certainly not acceptable. My comments were meant in partial jest and partial frustration. Jest as a solution to the pending DDOS and frustration that SCO will spin this as an attack by the Linux community against SCO, which it is not. I apologize if I didn't make that clear. For the record, I fully believe that this worm (both variants) is designed to attack high profile targets in order to take the focus off of it's spamming capability and create uncertainty as to what group actually authored the worm. It is my firm belief that this worm was written by spammers for the purpose creating spam relays. Also, for the record, I believe everyone has the right to say what they will regardless of legitimacy, and this does include SCO. Again, I apologize if I gave the wrong impression that the pending DDOS attack on SCO was a good thing. It's not. -- Donovan Hill Electronics Engineering Technologist, CCNA www.lazyeyez.net, www.gwsn.com
For the record, I fully believe that this worm (both variants) is designed to attack high profile targets in order to take the focus off of it's spamming capability and create uncertainty as to what group actually authored the worm. It is my firm belief that this worm was written by spammers for the purpose creating spam relays.
I'm not sure what the point of the DoS is if its intended to be a spam engine, that would have the effect of helping to identify and hence clean up the infections. Of course we're guessing about the spam connection, it doesnt have a spam engine in it, the mail capabilities are purely to redistribute itself... to do spam you need to add the engine via the backdoor. I'm tempted to think its nothing more than a bot and the backdoor is to allow the controller to go in and change its target. The DoS engine isnt that well written tho, this is odd too... Oh well, I guess we'll see tomoro! Steve
On Sat, 31 Jan 2004 18:24:42 GMT, "Stephen J. Wilcox" said:
I'm not sure what the point of the DoS is if its intended to be a spam engine, that would have the effect of helping to identify and hence clean up the infections.
Ahh.. you didn't take the time to think it through. ;) Consider - the perpetrator releases a *very* noisy worm with a DDoS engine on it (admittedly buggy). Then you go on vacation someplace warm and sunny, where visually attractive people of your preferred gender are walking around wearing a lot more than you need to wear where you were... Computers catch it. Computers spew it. Computers do their DDoS tapdance. Hopefully users and ISP staff notice and take action. Then 3 weeks later, you come back, tanned and rested - and run another scan. If you find your spam backdoor on port 3127 *still* open on a machine, you can be fairly sure you can spam away with impunity - if the user and their ISP didn't notice the box spewing mail the FIRST time, they won't notice the second time.....
I believe there is major and perhaps fatal flaw in this analysis. Valdis.Kletnieks@vt.edu wrote:
On Sat, 31 Jan 2004 18:24:42 GMT, "Stephen J. Wilcox" said:
I'm not sure what the point of the DoS is if its intended to be a spam engine, that would have the effect of helping to identify and hence clean up the infections.
Ahh.. you didn't take the time to think it through. ;)
Consider - the perpetrator releases a *very* noisy worm with a DDoS engine on it (admittedly buggy). Then you go on vacation someplace warm and sunny, where visually attractive people of your preferred gender are walking around wearing a lot more than you need to wear where you were...
^^^^ The analysis works if that was the word "less".
Computers catch it. Computers spew it. Computers do their DDoS tapdance. Hopefully users and ISP staff notice and take action.
Then 3 weeks later, you come back, tanned and rested - and run another scan. If you find your spam backdoor on port 3127 *still* open on a machine, you can be fairly sure you can spam away with impunity - if the user and their ISP didn't notice the box spewing mail the FIRST time, they won't notice the second time.....
I doubt that the length of 3 is important. Based on my past experience "Then 3 weeks later" can be replaced by "Some time later when the cold is gone".
On Sat, 31 Jan 2004 17:48:13 CST, "Laurence F. Sheldon, Jr." <larrysheldon@cox.net> said:
The analysis works if that was the word "less".
D'oh! ;)
I doubt that the length of 3 is important. Based on my past experience "Then 3 weeks later" can be replaced by "Some time later when the cold is gone".
Locally, I'm looking at a low of 7F tonight, with wind chills well below zero, and the National Weather Service says Monday night we have "freezing rain, with snow and sleet north of Highway 460". Great, I live 2 blocks *south* of 460.. Anybody got recommendations on warm places that have good bandwidth to the beach? :)
----- Original Message ----- From: <Valdis.Kletnieks@vt.edu> Sent: Saturday, January 31, 2004 3:10 PM Subject: Re: Impending (mydoom) DOS attack
Anybody got recommendations on warm places that have good bandwidth to the beach? :)
http://pacific.bizjournals.com/pacific/stories/2002/05/27/daily35.html It will mean instant high-speed Web access in rooms, poolside, or oceanside. "(We) will be able to offer laptop computers with Internet access and virtual office guest rooms," Hyatt Regency Maui GM Barry Lewin said. http://www.mauiembassy.com/amenities.html http://www.mauiskyfiber.com/pricing.html
participants (10)
-
bcm
-
Chris Behrens
-
Donovan Hill
-
Laurence F. Sheldon, Jr.
-
Leo Bicknell
-
Michael Painter
-
Mike Tancsa
-
Sean Donelan
-
Stephen J. Wilcox
-
Valdis.Kletnieks@vt.edu