[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [Full-Disclosure] DDos counter measures
- To: "'vogt@hansenet.com'" <vogt@hansenet.com>, llevier@argosnet.com, full-disclosure@lists.netsys.com
- Subject: RE: [Full-Disclosure] DDos counter measures
- From: Roland Arendes <Roland.Arendes@de.flextronics.com>
- Date: Fri, 15 Aug 2003 16:58:05 +0200
As far as I can see microsoft already fixed the situation, there won't be
any dDoS. Can someone confirm this?
The dns record of windowsupdate.com is empty/deleted.
To your question: this 127.0.0.1-thing is a very bad idea, because the worm
will use spoofed source ip adresses from your local network. the machine
itself (127.0.0.1) will flood RST-packets cause of the closed port through
your local network (nice thing ;)
And no: windowsupdate.microsoft.com is not needed as it is not resolved by
the worm
> -----Original Message-----
> From: vogt@hansenet.com [mailto:vogt@hansenet.com]
> Sent: Freitag, 15. August 2003 09:43
> To: llevier@argosnet.com; full-disclosure@lists.netsys.com
> Subject: AW: [Full-Disclosure] DDos counter measures
>
>
> > Since our IntraNet solves all its DNS queries through
> internal caches
> > (mandatory bottleneck), we created windowsupdate.com &
> > windowsupdate.microsoft.com zones in this bottleneck DNS. These are
> > resolving to 127.0.0.1 with DNS wildcards.
>
> Is it necessary to add windowsupdate.microsoft.com to this?
> So far, all analysis indicated that it attacks
> windowsupdate.com, the old legacy site. Or did I miss something?
>
>
> best regards / mit freundlichen Gruessen,
>
> Tom Vogt
> Hansenet Webfarm Security
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html