Re: [normal] RE: [Full-Disclosure] Windows Dcom Worm planned DDoS

From: James Greenhalgh (james.greenhalgh_at_worldpay.com)
Date: 08/12/03

  • Next message: Andrew Thomas: "RE: [Full-Disclosure] aside: worm vs. worm?"
    To: opticfiber <opticfiber@topsight.net>
    Date: 12 Aug 2003 16:31:48 +0100
    
    

    Interesting solution, but it doesn't address a couple of possible
    problems, firstly - how many hosts would they need? Secondly - can
    their link cope, no amount of front end victim boxes will help them
    there - if you get to filter a packet, the bandwidth damage has already
    been done. All depends on whether or not the 15th is mass explosion, or
    a cheap firework really. I dont think M$ want the bad press of
    poisoning the DNS until Christmas either ;)

    As an aside, it was really about time that someone slapped them in the
    face with something like this, that's visible enough for the suits to
    notice.

    james

    On Tue, 2003-08-12 at 14:13, opticfiber wrote:
    > Why not just setup a simple forward, that way all the traffic that would
    > normally be intended for the windows update site would be diverted to a
    > totally difrent host. See diagram below:
    >
    > Normal Site
    > 192.168.1.111(window update.com)
    >
    > Setup to save M$ from worm forward
    > Normal Site
    > 192.168.1.111(windows.update.com) ----------------->
    > 192.168.100.225(windows.offsite.update.com)
    >
    > By using this setup, you can filter everything except http requests.
    > Further more, it'd be relativly simple to setup a rotating pool of
    > difrent forwards to the main site. Meaning every time some one resolved
    > windowsupdate.com the name resolved to a difrent ip address that still
    > forwards to the main site. By using this setup the ddos can be spread
    > out over several forwarding hosts and not even touch the main site.
    >
    >
    > William Reyor
    > TopSight - Discussions on computers and beyond
    > http://www.topsight.net
    >
    > Andrew Thomas wrote:
    >
    > >>From: Chris Eagle [mailto:cseagle@redshift.com]
    > >>Sent: 12 August 2003 01:31
    > >>Subject: RE: [Full-Disclosure] Windows Dcom Worm planned DDoS
    > >>
    > >>
    > >>The IP is not hard coded. It does a lookup on "windowsupdate.com"
    > >>
    > >>
    > >
    > >Allowing the option for corporates and/or isp's to dns poison that
    > >to resolve to 127.0.0.1, or even dns race with tools like team teso's
    > >if one doesn't use internal/cacheing NS.
    > >
    > >Might save some traffic on 15 August. Alternative, route all traffic
    > >to the resolved IP addresses to /dev/null, but with the above, the
    > >traffic shouldn't even leave the machine in question.
    > >
    > >--
    > >Andrew G. Thomas
    > >Hobbs & Associates Chartered Accountants (SA)
    > >(o) +27-(0)21-683-0500
    > >(f) +27-(0)21-683-0577
    > >(m) +27-(0)83-318-4070
    > >
    > >_______________________________________________
    > >Full-Disclosure - We believe in it.
    > >Charter: http://lists.netsys.com/full-disclosure-charter.html
    > >
    > >
    > >
    > >
    >
    >
    >
    > _______________________________________________
    > Full-Disclosure - We believe in it.
    > Charter: http://lists.netsys.com/full-disclosure-charter.html

    -- 
    James Greenhalgh <james.greenhalgh@worldpay.com>
    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html
    

  • Next message: Andrew Thomas: "RE: [Full-Disclosure] aside: worm vs. worm?"

    Relevant Pages

    • Re: [normal] RE: [Full-Disclosure] Windows Dcom Worm planned DDoS
      ... The only time you could ever get a suit to notice anything is when their ... > Normal Site ... > By using this setup, you can filter everything except http requests. ... > difrent forwards to the main site. ...
      (Full-Disclosure)
    • ipsec tunnel with same subnet in A and B
      ... i have some questions regarding an ipsec tunnel ... which i want to setup between to hosts, ... but I want A and B to be in the same subnet. ...
      (freebsd-net)
    • Re: DNS || sendmail? (or both?)
      ... Try adding all the hosts you accept mail for to your local-host-names ... starting 'Fw-o' in /etc/mail/sendmail.cf. ... MX records should also be setup for each domain you want to accept ...
      (freebsd-questions)
    • Re: Update: Pinball in South Florida!!
      ... By all means please feel free to update the list, the hosts of it have ... it setup so anyone can add/edit pins/locations. ... Jeff Palmer wrote: ...
      (rec.games.pinball)
    • Re: Website display SNAFU
      ... i think that may answer my problem, almost all the entries in the HOSTS ... > could refresh the Windows scripting engine anyway. ... First check for a HOSTS file. ... >> I ran the setup disk that came with the kit, ...
      (microsoft.public.windows.inetexplorer.ie6.browser)