[Dshield] MyDoom/NoVarg DoS details

Johannes B. Ullrich jullrich at sans.org
Wed Jan 28 14:09:25 GMT 2004

> I suppose one could add an entry into there own DNS that points toward there
> own static intranet webpage,

well, the infected user will not see the page (unless they happen to
visit sco.com). However, the idea is sound. Redirect traffic for sco.com
to a 'sink' and notify users that hit it more then n-times.

If you happen to run iptables, you could even rate limit traffic to
sco.com, or trigger based on number of requests, so you don't prevent
random users from going to sco.com to sign up for their Linux licenses.

On the other hand, in particular if this is a corporate environment,
just scan for open port 3127. I think at least Eeye now released a
scanner if you don't want to break out nmap.

I would assume that your false positive rate is rather low, even if you
don't look at the response (just a ']' in the case of MyDoom).

CTO SANS Internet Storm Center               http://isc.sans.org
phone: (617) 837 2807                          jullrich at sans.org 

contact details: http://johannes.homepc.org/contact.htm
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://www.dshield.org/pipermail/list/attachments/20040128/bfbb780b/attachment.bin

More information about the list mailing list