[unisog] Blaster DDOS potential

Greg Schaffer schaffer at mtsu.edu
Thu Aug 14 20:07:20 GMT 2003

For what it's worth, we had one machine with the date set past 8/16 and
monitored its traffic level.  The one machine consistently used about 37kbps
sending spoofed packets to windowsupdate.com.  We didn't test it with any
other machines so I suppose there can be variants to the BW used, but on the
other hand this may be a guage of sorts.  I was sort of expecting a lot
higher bandwidth usage.


----- Original Message -----
From: "hermit921" <hermit921 at yahoo.com>
To: <unisog at sans.org>
Sent: Thursday, August 14, 2003 2:22 PM
Subject: Re: [unisog] Blaster DDOS potential

> We got hit on Monday, and infected machines immediately started sending
> http traffic to windowsupdate.com.  The source IP addresses were spoofed,
> but still within our /16 address space.  Some of the spoofed addresses
> from non-existent subnets.
> hermit921

More information about the unisog mailing list