[unisog] Windows Update

Arnold, Jamie harnold at binghamton.edu
Thu Aug 14 15:24:36 GMT 2003


-----Original Message-----
From: E. Larry Lidz [mailto:ellidz at uchicago.edu] 
Sent: Wednesday, August 13, 2003 11:14 PM
To: unisog at sans.org
Subject: [unisog] Windows Update

What are people doing about the future existence, or lack thereof, of
Windows Update?

We're concerned from two levels: first, the ability to get patches once
the DoS starts. All the preliminary estimates I've seen of the traffic
volume seem to indicate that there is almost no chance that MS will have
the bandwidth at hand to weather the storm (the backbone providers might
be able to mitigate some of the damage by null routing some traffic, but
it's still going to be a massive amount). 

We're thinking that to handle this, we'll probably get a local mirror of
Microsoft's patches and make that available to campus. It isn't Windows
Update, but it's something.

The second concern is the infected machines on our network that might be
contributing to the DoS. We've pretty much eliminated the worm from our
campus proper, but it runs rampant in our modem pool (we're blocking
appropriate ports in both directions to prevent it from infecting
others) and we have occasional new infections. Regardless, we're going
to be sending some packets Microsoft's way no matter what.

We've considered putting an invalid IP into our DNS servers for
windowsupdate.com. Apparently this will stop the DoS. We've also heard
that Windows Update actually goes to windowsupdate.microsoft.com and
therefore people would be able to get to the right sight. We haven't
confirmed this. However, this wouldn't stop infected people pointing to
other DNS servers.

There is, of course, the possibility of rate limiting down the traffic
until we can get rid of the compromised machines. This seems like a bit
of work, but perhaps we can automate it somehow.

Thoughts? Ideas? Microsoft seems to be pretty silent on what they want
people to do, if anything.


E. Larry Lidz                                        Phone: +1 773
Sr. Network Security Officer                         Fax:   +1 773
Network Security Center, The University of Chicago
PGP: http://security.uchicago.edu/centerinfo/pgpkeys.shtml

More information about the unisog mailing list