Re: GONE - What about the little people?

From: Tom Frerichs (tfrerich_at_SHIBOLETH.NET)
Date: 08/19/03

  • Next message: Marc Maiffret: "Re: Eagle Raptor Firewall for Windows vulnerable to MSBLAST?"
    Date:         Tue, 19 Aug 2003 09:46:21 -0600

    I think Microsoft's reaction was reasonable, but perhaps for a different
    reason than most people might think. In particular, I'm not too concerned
    about a DDoS attack on, but I am concerned about the
    amount of traffic that beast generated.

    Not only were there many packets generated on port 80 from each infection,
    but since the worm spoofed the IP of the sender, there was substantial arp
    traffic generated as well. And if the spoofed address existed then there was
    traffic back to that address as well.

    By dumping, yet leaving and active, Microsoft effectively stopped the worm
    from doing any sort of DDoS, yet left the Windows update procedure working.
    It just went to sleep, so far as sending packets to After
    all, a browser call to just redirected to one of the same
    machines that handles

    Personally, I'm rather thankful that the worm writer didn't attack one of
    the active sites. Enough bandwidth is being consumed by other legitimate and
    not-so-legitimate uses. We didn't need yet another consumer.

    Tom Frerichs

    Are You "Certifiable"? Summer's Hottest Certification Just Got HOTTER!

    With a growth rate exceeding 110%, the TICSA security practitioner
    certification is one of the hottest IT credentials available. And now, for
    a limited time, you can save 33% off of the TICSA certification exam! To
    learn more about the TICSA certification, and to register as a TICSA
    candidate online, just go to


  • Next message: Marc Maiffret: "Re: Eagle Raptor Firewall for Windows vulnerable to MSBLAST?"