[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [normal] RE: [Full-Disclosure] Windows Dcom Worm planned DDoS

To: opticfiber <opticfiber@topsight.net>
Subject: Re: [normal] RE: [Full-Disclosure] Windows Dcom Worm planned DDoS
From: James Greenhalgh <james.greenhalgh@worldpay.com>
Date: 12 Aug 2003 16:31:48 +0100

Interesting solution, but it doesn't address a couple of possible
problems, firstly - how many hosts would they need?  Secondly - can
their link cope, no amount of front end victim boxes will help them
there - if you get to filter a packet, the bandwidth damage has already
been done.  All depends on whether or not the 15th is mass explosion, or
a cheap firework really.  I dont think M$ want the bad press of
poisoning the DNS until Christmas either ;)

As an aside, it was really about time that someone slapped them in the
face with something like this, that's visible enough for the suits to
notice.

james



On Tue, 2003-08-12 at 14:13, opticfiber wrote:
> Why not just setup a simple forward, that way all the traffic that would 
> normally be intended for the windows update site would be diverted to a 
> totally difrent host. See diagram below:
> 
> Normal Site
> 192.168.1.111(window update.com)
> 
> Setup to save M$ from  worm                     forward                
> Normal Site
> 192.168.1.111(windows.update.com)  ----------------->  
> 192.168.100.225(windows.offsite.update.com)
> 
> By using this setup, you can filter everything except  http requests. 
> Further more, it'd be relativly simple to setup a rotating pool of 
> difrent forwards to the main site. Meaning every time some one resolved 
> windowsupdate.com the name resolved to a difrent ip address that still 
> forwards to the main site. By using  this setup the ddos can be spread 
> out over several forwarding hosts and not even touch the main site.
> 
> 
> William Reyor
> TopSight - Discussions on computers and beyond
> http://www.topsight.net
> 
> Andrew Thomas wrote:
> 
> >>From: Chris Eagle [mailto:cseagle@redshift.com] 
> >>Sent: 12 August 2003 01:31
> >>Subject: RE: [Full-Disclosure] Windows Dcom Worm planned DDoS
> >>
> >>
> >>The IP is not hard coded.  It does a lookup on "windowsupdate.com"
> >>    
> >>
> >
> >Allowing the option for corporates and/or isp's to dns poison that
> >to resolve to 127.0.0.1, or even dns race with tools like team teso's
> >if one doesn't use internal/cacheing NS.
> >
> >Might save some traffic on 15 August. Alternative, route all traffic
> >to the resolved IP addresses to /dev/null, but with the above, the
> >traffic shouldn't even leave the machine in question.
> >
> >--
> >Andrew G. Thomas
> >Hobbs & Associates Chartered Accountants (SA)
> >(o) +27-(0)21-683-0500
> >(f) +27-(0)21-683-0577
> >(m) +27-(0)83-318-4070 
> >
> >_______________________________________________
> >Full-Disclosure - We believe in it.
> >Charter: http://lists.netsys.com/full-disclosure-charter.html
> >
> >
> >  
> >
> 
> 
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
-- 
James Greenhalgh <james.greenhalgh@worldpay.com>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Follow-Ups:
- Re: [normal] RE: [Full-Disclosure] Windows Dcom Worm planned DDoS
  - From: "morning_wood" <se_cur_ity@hotmail.com>

References:
- RE: [Full-Disclosure] Windows Dcom Worm planned DDoS
  - From: "Andrew Thomas" <andrewt@nmh.co.za>
- Re: [normal] RE: [Full-Disclosure] Windows Dcom Worm planned DDoS
  - From: opticfiber <opticfiber@topsight.net>

Prev by Date: RE: [Full-Disclosure] aside: worm vs. worm?
Next by Date: Re: [Full-Disclosure] MSblast worm
Prev by thread: RE: [Full-Disclosure] Re: [normal] RE: Windows Dcom Worm planned DDoS
Next by thread: Re: [normal] RE: [Full-Disclosure] Windows Dcom Worm planned DDoS
Index(es):
- Date
- Thread