Interesting solution, but it doesn't address a couple of possible problems, firstly - how many hosts would they need? Secondly - can their link cope, no amount of front end victim boxes will help them there - if you get to filter a packet, the bandwidth damage has already been done. All depends on whether or not the 15th is mass explosion, or a cheap firework really. I dont think M$ want the bad press of poisoning the DNS until Christmas either ;)
As an aside, it was really about time that someone slapped them in the face with something like this, that's visible enough for the suits to notice. james On Tue, 2003-08-12 at 14:13, opticfiber wrote: > Why not just setup a simple forward, that way all the traffic that would > normally be intended for the windows update site would be diverted to a > totally difrent host. See diagram below: > > Normal Site > 192.168.1.111(window update.com) > > Setup to save M$ from worm forward > Normal Site > 192.168.1.111(windows.update.com) -----------------> > 192.168.100.225(windows.offsite.update.com) > > By using this setup, you can filter everything except http requests. > Further more, it'd be relativly simple to setup a rotating pool of > difrent forwards to the main site. Meaning every time some one resolved > windowsupdate.com the name resolved to a difrent ip address that still > forwards to the main site. By using this setup the ddos can be spread > out over several forwarding hosts and not even touch the main site. > > > William Reyor > TopSight - Discussions on computers and beyond > http://www.topsight.net > > Andrew Thomas wrote: > > >>From: Chris Eagle [mailto:[EMAIL PROTECTED] > >>Sent: 12 August 2003 01:31 > >>Subject: RE: [Full-Disclosure] Windows Dcom Worm planned DDoS > >> > >> > >>The IP is not hard coded. It does a lookup on "windowsupdate.com" > >> > >> > > > >Allowing the option for corporates and/or isp's to dns poison that > >to resolve to 127.0.0.1, or even dns race with tools like team teso's > >if one doesn't use internal/cacheing NS. > > > >Might save some traffic on 15 August. Alternative, route all traffic > >to the resolved IP addresses to /dev/null, but with the above, the > >traffic shouldn't even leave the machine in question. > > > >-- > >Andrew G. Thomas > >Hobbs & Associates Chartered Accountants (SA) > >(o) +27-(0)21-683-0500 > >(f) +27-(0)21-683-0577 > >(m) +27-(0)83-318-4070 > > > >_______________________________________________ > >Full-Disclosure - We believe in it. > >Charter: http://lists.netsys.com/full-disclosure-charter.html > > > > > > > > > > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html -- James Greenhalgh <[EMAIL PROTECTED]> _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html