Re: [normal] RE: [Full-Disclosure] Windows Dcom Worm planned DDoS
From: James Greenhalgh (james.greenhalgh_at_worldpay.com)
To: opticfiber <firstname.lastname@example.org> Date: 12 Aug 2003 16:31:48 +0100
Interesting solution, but it doesn't address a couple of possible
problems, firstly - how many hosts would they need? Secondly - can
their link cope, no amount of front end victim boxes will help them
there - if you get to filter a packet, the bandwidth damage has already
been done. All depends on whether or not the 15th is mass explosion, or
a cheap firework really. I dont think M$ want the bad press of
poisoning the DNS until Christmas either ;)
As an aside, it was really about time that someone slapped them in the
face with something like this, that's visible enough for the suits to
On Tue, 2003-08-12 at 14:13, opticfiber wrote:
> Why not just setup a simple forward, that way all the traffic that would
> normally be intended for the windows update site would be diverted to a
> totally difrent host. See diagram below:
> Normal Site
> 192.168.1.111(window update.com)
> Setup to save M$ from worm forward
> Normal Site
> 192.168.1.111(windows.update.com) ----------------->
> By using this setup, you can filter everything except http requests.
> Further more, it'd be relativly simple to setup a rotating pool of
> difrent forwards to the main site. Meaning every time some one resolved
> windowsupdate.com the name resolved to a difrent ip address that still
> forwards to the main site. By using this setup the ddos can be spread
> out over several forwarding hosts and not even touch the main site.
> William Reyor
> TopSight - Discussions on computers and beyond
> Andrew Thomas wrote:
> >>From: Chris Eagle [mailto:email@example.com]
> >>Sent: 12 August 2003 01:31
> >>Subject: RE: [Full-Disclosure] Windows Dcom Worm planned DDoS
> >>The IP is not hard coded. It does a lookup on "windowsupdate.com"
> >Allowing the option for corporates and/or isp's to dns poison that
> >to resolve to 127.0.0.1, or even dns race with tools like team teso's
> >if one doesn't use internal/cacheing NS.
> >Might save some traffic on 15 August. Alternative, route all traffic
> >to the resolved IP addresses to /dev/null, but with the above, the
> >traffic shouldn't even leave the machine in question.
> >Andrew G. Thomas
> >Hobbs & Associates Chartered Accountants (SA)
> >(o) +27-(0)21-683-0500
> >(f) +27-(0)21-683-0577
> >(m) +27-(0)83-318-4070
> >Full-Disclosure - We believe in it.
> >Charter: http://lists.netsys.com/full-disclosure-charter.html
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
-- James Greenhalgh <firstname.lastname@example.org> _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html