Code Red : Any whitehouse.gov people around?
shrdlu at deaddrop.org
Fri Jul 20 14:09:37 UTC 2001
Sabri Berisha wrote:
> On Fri, 20 Jul 2001, Jasper Wallace wrote:
> > According to a recent post on bugtraq the worm is going to switch from
> > infecting webservers to DDOS'ing whitehouse.gov in about 1/2 an hour or so.
> Knowing that some of the colocated boxes in our network *might* be
> infected; I have placed a nullroute for 188.8.131.52 (the IP
> www.whitehouse.gov resolves to).
Wrong IP to blackhole. Oops. I've copied the bugtraq post below for
those of who are not subscribed, who might have missed it, or are
> > On Thu, 19 Jul 2001, Laurence Hand wrote:
> > I believe the DDoS started an hour and a half ago, at 5:00 PDT (0:00 UTC,
> > the next day). I was getting 5-10 attempts an hour, and I've had 0
> > since 4:43:29 PDT.
> > Folks will notice that www.whitehouse.gov is still accessible. The worm
> > authors only put in one IP address, the one for www1.whitehouse.gov. BBN
> > (who appears to be the provider for whitehouse.gov, according to my
> > tracert) has blocked that single IP address at their peering points. So
> > www2.whitehouse.gov is still running just fine.
> > Presumably, www.whitehouse.gov used to be RR DNS between the two. Now,
> > www.whitehouse.gov resolves to just 184.108.40.206, and it has a TTL of
> > only 872.
> > For a relatively clever worm, the author sure screwed up his target list.
> > Whoops.
Best to change that nullroute to www1.whitehouse.gov, and let up on
Powered by Guiness.
Feds never "take a vacation" from being a fed.
Aj Effin ReznoR
More information about the NANOG