Re: www.windowupdate.com GONE - What about the little people?

From: Tom Frerichs (tfrerich_at_SHIBOLETH.NET)
Date: 08/19/03

  • Next message: Marc Maiffret: "Re: Eagle Raptor Firewall for Windows vulnerable to MSBLAST?"
    Date:         Tue, 19 Aug 2003 09:46:21 -0600
    To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
    
    

    I think Microsoft's reaction was reasonable, but perhaps for a different
    reason than most people might think. In particular, I'm not too concerned
    about a DDoS attack on windowsupdate.com, but I am concerned about the
    amount of traffic that beast generated.

    Not only were there many packets generated on port 80 from each infection,
    but since the worm spoofed the IP of the sender, there was substantial arp
    traffic generated as well. And if the spoofed address existed then there was
    traffic back to that address as well.

    By dumping windowsupdate.com, yet leaving schemas.windowsupdate.com and
    download.windowsupdate.com active, Microsoft effectively stopped the worm
    from doing any sort of DDoS, yet left the Windows update procedure working.
    It just went to sleep, so far as sending packets to windowsupdate.com. After
    all, a browser call to windowsupdate.com just redirected to one of the same
    machines that handles windowsupdate.microsoft.com.

    Personally, I'm rather thankful that the worm writer didn't attack one of
    the active sites. Enough bandwidth is being consumed by other legitimate and
    not-so-legitimate uses. We didn't need yet another consumer.

    Tom Frerichs

    oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
    Are You "Certifiable"? Summer's Hottest Certification Just Got HOTTER!

    With a growth rate exceeding 110%, the TICSA security practitioner
    certification is one of the hottest IT credentials available. And now, for
    a limited time, you can save 33% off of the TICSA certification exam! To
    learn more about the TICSA certification, and to register as a TICSA
    candidate online, just go to

    http://www.trusecure.com/offer/s0100/

    oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo


  • Next message: Marc Maiffret: "Re: Eagle Raptor Firewall for Windows vulnerable to MSBLAST?"

    Relevant Pages

    • Re: Alert: Microsoft Security Bulletin - MS03-039
      ... The way that Microsoft patched the new RPC Part II vulnerability ... Summer's Hottest Certification Just Got HOTTER! ... To learn more about the TICSA certification, ...
      (NT-Bugtraq)
    • Windows 2000 server issue
      ... accurately parse the lists of vulnerable machines produced by the scan ... of addresses directly on the script. ... Summer's Hottest Certification Just Got HOTTER! ... you can save 33% off of the TICSA certification ...
      (NT-Bugtraq)
    • Re: Drivial Pursuit: Internet Explorer Browser & Your Files and Folders !
      ... The default Enhanced Security Configuration of IE ... access to files and folders on the local machine from the internet. ... With a growth rate exceeding 110%, the TICSA security practitioner certification is one of the hottest IT credentials available. ... And now, for a limited time, you can save 33% off of the TICSA certification exam! ...
      (NT-Bugtraq)
    • Re: Microsoft Numbering System
      ... the patch for each systems affected. ... in the right frame. ... Summer's Hottest Certification Just Got HOTTER! ... you can save 33% off of the TICSA certification exam! ...
      (NT-Bugtraq)
    • Re: SP4 Problems
      ... Rebooted numerous times, all ... Rebooting to safe mode produced an extremely slow logon, ... Summer's Hottest Certification Just Got HOTTER! ... you can save 33% off of the TICSA certification exam! ...
      (NT-Bugtraq)