('binary' encoding is not supported, stored as-is) In-Reply-To: <848AC18579DA9F4BB0BD181EEDDB519E266237at_private> I know this is probably moot since Microsoft has cleaned up their DNS record, but did anyone actually test setting the DNS record to loopback before recommending it? We did test this in an isolated subnet. Everyone is right that the TCP SYN no longer goes out to windowsupdate.com, but now a TCP RST is sent to the random source IP used by the worm. Since the random source addresses are based on the PC's own IP, the PC was now spraying packets all over in your own network. Depending on your routing setup, this would probably have been more harmful (to end users) than just letting it try to go to Microsoft and blocking it at your firewall. -Tim --------------------------------------------------------------------------- Captus Networks - Integrated Intrusion Prevention and Traffic Shaping - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans - Automatically Control P2P, IM and Spam Traffic - Ensure Reliable Performance of Mission Critical Applications - Precisely Define and Implement Network Security and Performance Policies **FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo Visit us at: http://www.securityfocus.com/sponsor/CaptusNetworks_incidents_030814 ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Sat Aug 16 2003 - 13:07:18 PDT