The impending DDoS storm

Michael Painter tvhawaii at shaka.com
Thu Aug 14 18:16:19 UTC 2003


http://www.dslreports.com/forum/remark,7652257~root=security,1~mode=flat;start=0

----- Original Message ----- 
From: "Josh Fleishman" <flyman2 at corp.earthlink.net>
To: <nanog at merit.edu>
Sent: Thursday, August 14, 2003 5:24 AM
Subject: RE: The impending DDoS storm


> 
> 
> 
> Has anyone determined a method for triggering the DOS attack manually?
> We've attempted this by changing an infected machine's clock, however it
> did not work on our test box.  If anyone has triggered the attack, do
> you have a copy of the sniffed data stream?  
> 
> It sounds like uRPF is going to be of very little benefit to blocking
> the attack if the spoofed addresses come from the infected host's
> subnet/parent subnet.
> 
> -Josh
> 
> -----Original Message-----
> From: owner-nanog at merit.edu [mailto:owner-nanog at merit.edu] On Behalf Of
> Mark Vallar
> Sent: Wednesday, August 13, 2003 7:18 PM
> To: nanog at merit.edu
> Subject: Re: The impending DDoS storm
> 
> 
> 
> 
> Jack Bates Wrote:
> 
> > I have no affiliation with Microsoft, nor do I care about their
> > services or products. What I do care about is a worm that sends out 
> > packets uncontrolled. If there is the possibility that this "planned" 
> > DOS will cause issues with my topology, then I will do whatever it 
> > takes to stop it. The fact that user's can't reach windowsupdate.com 
> > is irrelevant.
> >
> 
> There will most likely be issues with a lot of networks.
> 
> I had a glimpse of what is to come on the 16th on Tuesday.  We have a
> firewall customer that had an infected machine behind the firewall and
> the RTC clock was set incorrectly to 8/16.  The firewall was *logging*
> ~50 attempts per second trying to connect on port 80 to
> windowsupdate.com. Since the worm was sending from a spoofed source
> address the firewall was denying the packets.  This customers network is
> a /24 out of traditional Class B space and I was seeing random source
> addresses from almost every IP out of the /16.
> 
> This is not a forensic analysis, just what I observed in the firewall
> logs.
> 
> Is it a coincidence that 8/16 is a Saturday....I think not.  A lot less
> personal on-site to deal with possible issues.
> 
> -Mark Vallar
> 
> 
> 
> 



More information about the NANOG mailing list