[Dshield] DDOS Started?

Johannes B. Ullrich jullrich at sans.org
Fri Aug 15 20:41:02 GMT 2003


This message was converted from multipart/signed to ascii armored
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable


> : I have noticed that there are no longer any DNS entries for
> : windowsupdate.com or www.windowsupdate.com.
> : windowsupdate.microsoft.com still works.

The only hostname attacked is 'windowsupdate.com'.
This host name is NOT used by Windows Update.
Instead, windows update uses 'windowsupdate.microsoft.com'. 

'windowsupdate.com' no longer resolves. As a result,
the DDOS attack will not happen. The infected machines will just keep
scanning.

Until 'windowsupdate.com' resolves again. At this point, the infected
machines will hit it once they are rebooted.



-- 
SANS - Internet Storm Center
http://isc.sans.org
PGP Key: http://isc.sans.org/jullrich.txt

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQA/PUVdR1p7hYJvB/wRAo8uAJ0ZNQTapQPtcDu6xzIp0VoxTd4JZgCdG0mz
2IEI7Twp2TMZotawDH87inM-----END PGP SIGNATURE-----

--
SHA1



More information about the list mailing list