On Wed, 2003-08-13 at 19:03, Oliver.Gruskovnjakat_private wrote: > Ok our company is owned by the msblaster worm, now we would like to keep the > ddos attack under control. > Our Idea is, that we can make that one of our proxies will identify himself > as windowsupdate.com. If you use proxies for web access and mandate the use of proxies by all internal clients on the Internet firewall then the DDOS attack won't make it out. The worm wouldn't know about using a proxy, it'll try to go out directly. If your proxying is done transparently (client's *think* they talk to the remote web server, but the firewall redirects their requests to a proxy) then the proxy server itself will be subjected to the SYN flood attack. It won't make outbound connections to windowsupdate.com until after it has read the client's request. This obviously implies a successful TCP handshake with the client, and SYN flood attacks are based around not completing this handshake. Hence, unless you allow outbound HTTP connections from Internal systems other than proxies you needn't worry about DOSing MS. Your proxies don't run W2K or XP, now do they? Cheers Steffen.
This archive was generated by hypermail 2b30 : Wed Aug 13 2003 - 19:37:49 PDT