-
From: Marc Maiffret [mailto:[EMAIL PROTECTED]
Sent: Thursday, August 14, 2003 2:58 PM
To: B3r3n; [EMAIL PROTECTED]
Subject: RE: [Full-Disclosure] msblast DDos counter measures
Yah this has been mentioned a few times although I am not sure why
your
blackhole windowsupdate.microsoft.com
,
Christopher Lyon
Affant Communication (formerly DNS Network Services)
[EMAIL PROTECTED]
-Original Message-
From: Marc Maiffret [mailto:[EMAIL PROTECTED]
Sent: Thursday, August 14, 2003 2:58 PM
To: B3r3n; [EMAIL PROTECTED]
Subject: RE: [Full-Disclosure] msblast DDos counter measures
Yah
- Original Message -
From: Christopher Lyon [EMAIL PROTECTED]
To: Marc Maiffret [EMAIL PROTECTED]; B3r3n [EMAIL PROTECTED];
[EMAIL PROTECTED]
Sent: Thursday, August 14, 2003 10:22 PM
Subject: RE: [Full-Disclosure] msblast DDos counter measures (More Insight
Maybe?)
There has been posted on many
Marc,
therefore keeping machines from using windows update to get patches.
Because I have 15 000 machines to tell that...
the worm only hits windowsupdate.com
Glancing at multiple internet sites, the 2 main sites were mentionned, and
so in doubt...
But it is not a very problem. Once we will
Hi,
i have an (maybe) new idea that worth discussing.
What about writing a new worm based on the well know exploit - this worm
should do something like:
- disinfect the machine from the know variants of msblast
- install the patch or at least inform the user that he should to that
- spread out
Quoting Christopher Lyon ([EMAIL PROTECTED]):
Look at these traces to see what it is doing. Note the source and
destination ports and addresses.
WINDOWSUPDATE.COM set to resolve normally
19:48:23.963345 192.168.187.171.1823 204.79.188.11.http: S
886046720:886046720(0) win 16384
It is
From: Vladimir Parkhaev [mailto:[EMAIL PROTECTED]
Quoting B3r3n ([EMAIL PROTECTED]):
Christopher,
So, the machine is coming back up and the date was set after the
16th
and what do I see, I see a SYN flood but the source is 127.0.0.1
and
the
destination is 192.168.X.X/16. (I am
-Original Message-
From: Vladimir Parkhaev [mailto:[EMAIL PROTECTED]
Sent: Friday, August 15, 2003 9:18 AM
To: Christopher Lyon
Cc: [EMAIL PROTECTED]
Subject: Re: [Full-Disclosure] msblast DDos counter measures (More
Insight
Maybe?)
Quoting Christopher Lyon ([EMAIL PROTECTED
Yeah, that's just what we need. Then we get to explain to users that
*some* worms are bad, and other worms are good.
NOT!!!
--On Friday, August 15, 2003 03:20:12 PM +0200 Daniel Rudolph
[EMAIL PROTECTED] wrote:
Hi,
i have an (maybe) new idea that worth discussing.
What about writing a new
Quoting Christopher Lyon ([EMAIL PROTECTED]):
OK,
Sorry that I didn't see that before but I see it now. Thanks.
It is allright. I liked the idea of playing with DNS to avoid the DOS myself...
Looks like m$ killed windowsupdate.com and there will be no dDOS (bring:)
Here is what Len
You mean *after* you get out of jail smile
Thanks,
Ron DuFresne
On Fri, 15 Aug 2003, Paul Schmehl wrote:
Yeah, that's just what we need. Then we get to explain to users that
*some* worms are bad, and other worms are good.
NOT!!!
--On Friday, August 15, 2003 03:20:12 PM +0200 Daniel
All,
We found a simple solution to protect our IntraNet against the DDoS.
Since the msblast.exe will SYN flood windowsupdate.com (or
windowsupdate.microsoft.com) with 50 packets per second (according to our
tests).
Since our IntraNet solves all its DNS queries through internal caches
vulnerabilities
| -Original Message-
| From: [EMAIL PROTECTED]
| [mailto:[EMAIL PROTECTED] Behalf Of B3r3n
| Sent: Thursday, August 14, 2003 11:10 AM
| To: [EMAIL PROTECTED]
| Subject: [Full-Disclosure] msblast DDos counter measures
|
|
| All,
|
| We found a simple solution to protect our
13 matches
Mail list logo