RE: msblast.exe worm FINDINGS (DDoS) ---> Can someone please confirm?

From: David Gillett (gillettdavidat_private)
Date: Thu Aug 14 2003 - 12:36:15 PDT

  • Next message: sunzi: "Re: Heads up! distributed scans and attacks targeting nsiss.dll" 

    > I build a BIND server (10.10.10.1/24) with a forward AND 
> reverse DNS for
> windowsupdate.com as a fictitious address 10.10.20.10/24.  I 
> then put an
> infected client (10.10.10.5/24) on the wire, and set the date ahead to
> the 20th (just for kicks).  This simulate a 'real' 
> environment, since we
> typically won't be on the same network segment as windowsupdate.com,
> right?  *grin*
> 
> Can anyone else independantly validate these results?  I'm 
> particularly
> interested in the first result, of the high-ARP issue...

  This suggests that in addition to spoofing an address within the
infected machine's /16, it ALSO assumes a /16 for purposes of routing
the outbound attacks.

David Gillett
    --------------------------------------------------------------------------- Captus Networks - Integrated Intrusion Prevention and Traffic Shaping - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans - Automatically Control P2P, IM and Spam Traffic - Ensure Reliable Performance of Mission Critical Applications - Precisely Define and Implement Network Security and Performance Policies **FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo Visit us at: http://www.securityfocus.com/sponsor/CaptusNetworks_incidents_030814 ----------------------------------------------------------------------------

    This archive was generated by hypermail 2b30 : Thu Aug 14 2003 - 17:19:49 PDT