Windows Update

E. Larry Lidz ellidz at
Thu Aug 14 03:14:02 GMT 2003

What are people doing about the future existence, or lack thereof, of
Windows Update?

We're concerned from two levels: first, the ability to get patches once
the DoS starts. All the preliminary estimates I've seen of the traffic
volume seem to indicate that there is almost no chance that MS will
have the bandwidth at hand to weather the storm (the backbone providers
might be able to mitigate some of the damage by null routing some
traffic, but it's still going to be a massive amount). 

We're thinking that to handle this, we'll probably get a local mirror
of Microsoft's patches and make that available to campus. It isn't
Windows Update, but it's something.

The second concern is the infected machines on our network that might
be contributing to the DoS. We've pretty much eliminated the worm from
our campus proper, but it runs rampant in our modem pool (we're
blocking appropriate ports in both directions to prevent it from
infecting others) and we have occasional new infections. Regardless,
we're going to be sending some packets Microsoft's way no matter what.

We've considered putting an invalid IP into our DNS servers for Apparently this will stop the DoS. We've also heard
that Windows Update actually goes to and
therefore people would be able to get to the right sight. We haven't
confirmed this. However, this wouldn't stop infected people pointing to
other DNS servers.

There is, of course, the possibility of rate limiting down the traffic
until we can get rid of the compromised machines. This seems like a bit
of work, but perhaps we can automate it somehow.

Thoughts? Ideas? Microsoft seems to be pretty silent on what they want
people to do, if anything.


E. Larry Lidz                                        Phone: +1 773 702-2208
Sr. Network Security Officer                         Fax:   +1 773 834-8444
Network Security Center, The University of Chicago

More information about the unisog mailing list