hope the below helps you out oliver ;) <source elided> Hi Team, Just tinkering w/ the "wurm" a little and thought I'd make a couple of observations on the AUG 16 date. At some time on or after Aug 16, the worm will issue a DNS request for the A record of windowsupdate.com to the locally configured DNS server with the +recusion option set. When the clock strikes Aug 16, it does NOT appear to immediately attack windowsupdate.com. My guess is that the loop iterating the /16 scan needs to complete before the code checks the clock again for attacking Microsoft. Assuming the query succeeds, the two current A records will be returned: 207.46.134.30 207.46.134.94 The worm will then begin to send 60 byte (20 bytes ethernet padding) TCP SYN packets to windowsupdate.com port 80. The source IP will be spoofed out of the /16 of the local LAN subnet, the source port will be in the range of 1000-2000, IP TTL of 128, and IP ID 256. Note the very consistent parameters in the IP packets. A combination of source ports and/or IP ID checking may be another way to fingerprint the attack. The worm appears to select the first IP of the two returned in the DNS reply consistently, so it may be possible to simply block access to the first IP if necessary as a mitigation method. While sending TCP floods it will issue a PTR Lookup for the IP it is attacking 30.134.46.207.in-addr.arpa The rate of packets sent may vary based on hardware platform, CPU, and bandwidth, but I've noticed a rate of approximately 50pps for the SYN attack. Packets appear to be spaced about 20ms apart. The TCP 135 scans appear to run at about 12pps. At this rate it would take approximately 93.29 minutes to scan an entire /16. As Rob suggested, there appears to be approximately a 1.5-2 second delay between each 20 socket connects(). The TCP port 80 SYN Flood does not appear to exhibit the same behavior. The TCP port 135 scans carry the following TCP options: MSS (1460) SACK The TCP port 80 SYN packets do not carry any TCP options. -----Original Message----- From: Oliver.Gruskovnjakat_private [mailto:Oliver.Gruskovnjakat_private] Sent: Wednesday, August 13, 2003 4:04 AM To: incidentsat_private Subject: rpc dcom worm and windowsupdate Hey guys, Ok our company is owned by the msblaster worm, now we would like to keep the ddos attack under control. Our Idea is, that we can make that one of our proxies will identify himself as windowsupdate.com. Now my question is, is the Worm looking for windowsupdate.com per Lookup or has it a fix ip in the Source ? Does someone know anything ? Haves some the sorce :) PS: What are you doing against it ? regards Gruskovnjak Oliver ---------------------------------------------------------------------------- ------ Bundesamt für Informatik und Telekommunikation BIT Bereitstellung Netzdienste / BZBN Monbijoustrasse 74 3003 Bern ---------------------------------------------------------------------------- ------ Tel. +41 (0) 31 323 89 84 Fax +41 (0) 31 325 90 30 ---------------------------------------------------------------------------- ------ SMTP: oliver.gruskovnjakat_private WEB: www.bit.admin.ch ---------------------------------------------------------------------------- ------ --------------------------------------------------------------------------- ---------------------------------------------------------------------------- --------------------------------------------------------------------------- ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Wed Aug 13 2003 - 17:26:36 PDT