Re: www.windowupdate.com GONE - What about the little people?
From: Tom Frerichs (tfrerich_at_SHIBOLETH.NET)
Date: Tue, 19 Aug 2003 09:46:21 -0600 To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
I think Microsoft's reaction was reasonable, but perhaps for a different
reason than most people might think. In particular, I'm not too concerned
about a DDoS attack on windowsupdate.com, but I am concerned about the
amount of traffic that beast generated.
Not only were there many packets generated on port 80 from each infection,
but since the worm spoofed the IP of the sender, there was substantial arp
traffic generated as well. And if the spoofed address existed then there was
traffic back to that address as well.
By dumping windowsupdate.com, yet leaving schemas.windowsupdate.com and
download.windowsupdate.com active, Microsoft effectively stopped the worm
from doing any sort of DDoS, yet left the Windows update procedure working.
It just went to sleep, so far as sending packets to windowsupdate.com. After
all, a browser call to windowsupdate.com just redirected to one of the same
machines that handles windowsupdate.microsoft.com.
Personally, I'm rather thankful that the worm writer didn't attack one of
the active sites. Enough bandwidth is being consumed by other legitimate and
not-so-legitimate uses. We didn't need yet another consumer.
Are You "Certifiable"? Summer's Hottest Certification Just Got HOTTER!
With a growth rate exceeding 110%, the TICSA security practitioner
certification is one of the hottest IT credentials available. And now, for
a limited time, you can save 33% off of the TICSA certification exam! To
learn more about the TICSA certification, and to register as a TICSA
candidate online, just go to