RE: [Full-Disclosure] Windows Dcom Worm planned DDoS

From: Andrew Thomas (andrewtat_private)
Date: Tue Aug 12 2003 - 04:37:15 PDT

Next message: Matt Zimmerman: "[SECURITY] [DSA-371-1] New perl packages fix cross-site scripting"

Previous message: Nick FitzGerald: "Re: [Full-Disclosure] Windows Dcom Worm planned DDoS"
In reply to: Chris Eagle: "RE: [Full-Disclosure] Windows Dcom Worm planned DDoS"
Next in thread: Nick FitzGerald: "Re: [Full-Disclosure] Windows Dcom Worm planned DDoS"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> From: Chris Eagle [mailto:cseagleat_private] 
> Sent: 12 August 2003 01:31
> Subject: RE: [Full-Disclosure] Windows Dcom Worm planned DDoS
> 
> 
> The IP is not hard coded.  It does a lookup on "windowsupdate.com"

Allowing the option for corporates and/or isp's to dns poison that
to resolve to 127.0.0.1, or even dns race with tools like team teso's
if one doesn't use internal/cacheing NS.

Might save some traffic on 15 August. Alternative, route all traffic
to the resolved IP addresses to /dev/null, but with the above, the
traffic shouldn't even leave the machine in question.

--
Andrew G. Thomas
Hobbs & Associates Chartered Accountants (SA)
(o) +27-(0)21-683-0500
(f) +27-(0)21-683-0577
(m) +27-(0)83-318-4070 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Next message: Matt Zimmerman: "[SECURITY] [DSA-371-1] New perl packages fix cross-site scripting"
Previous message: Nick FitzGerald: "Re: [Full-Disclosure] Windows Dcom Worm planned DDoS"
In reply to: Chris Eagle: "RE: [Full-Disclosure] Windows Dcom Worm planned DDoS"
Next in thread: Nick FitzGerald: "Re: [Full-Disclosure] Windows Dcom Worm planned DDoS"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Aug 12 2003 - 05:55:34 PDT