[unisog] Windows Update

Tracey Losco tracey at nyu.edu
Thu Aug 14 19:57:36 GMT 2003


Here is an analysis that I came across.  It looks like the DDoS is 
only on port 80, but targeted by IP.  The code will give you the info 
you were looking for regarding reverse-engineering.  See the 


At 3:04 PM -0400 8/14/03, Anderson Johnston wrote:
>I took this idea to out network boss. He suggested that he modify the DNS
>to redirect packets to an IP where I can monitor the sources for later
>identification.  That way we can catch some of the ones we haven't found
>so far - especially the dial-ins.
>1.)	Just to confirm, the DoS attack is targeted by name
>	("windowsupdate.com"), right?
>2.)	Is the DoS attack on port 80 only?
>3.)	SYN flooding?  TCP connect attempts?
>4.)	Has anybody reverse-engineered the worm yet to see
>	what it really does?  I looked at it with Process
>	Explorer and it looked like it might be using cookie files, but
>	that hasn't been mentioned in any write-up I've seen.
>						Thanks,
>							- Andy
>On Wed, 13 Aug 2003, E. Larry Lidz wrote:
>>  What are people doing about the future existence, or lack thereof, of
>>  Windows Update?
>>  We're concerned from two levels: first, the ability to get patches once
>>  the DoS starts. All the preliminary estimates I've seen of the traffic
>>  volume seem to indicate that there is almost no chance that MS will
>>  have the bandwidth at hand to weather the storm (the backbone providers
>>  might be able to mitigate some of the damage by null routing some
>>  traffic, but it's still going to be a massive amount).
>>  We're thinking that to handle this, we'll probably get a local mirror
>>  of Microsoft's patches and make that available to campus. It isn't
>>  Windows Update, but it's something.
>>  The second concern is the infected machines on our network that might
>>  be contributing to the DoS. We've pretty much eliminated the worm from
>>  our campus proper, but it runs rampant in our modem pool (we're
>>  blocking appropriate ports in both directions to prevent it from
>>  infecting others) and we have occasional new infections. Regardless,
>>  we're going to be sending some packets Microsoft's way no matter what.
>>  We've considered putting an invalid IP into our DNS servers for
>>  windowsupdate.com. Apparently this will stop the DoS. We've also heard
>>  that Windows Update actually goes to windowsupdate.microsoft.com and
>>  therefore people would be able to get to the right sight. We haven't
>>  confirmed this. However, this wouldn't stop infected people pointing to
>>  other DNS servers.
>>  There is, of course, the possibility of rate limiting down the traffic
>>  until we can get rid of the compromised machines. This seems like a bit
>>  of work, but perhaps we can automate it somehow.
>>  Thoughts? Ideas? Microsoft seems to be pretty silent on what they want
>>  people to do, if anything.
>>  -Larry
>>  ---
>>  E. Larry Lidz                                        Phone: +1 773 702-2208
>>  Sr. Network Security Officer                         Fax:   +1 773 834-8444
>>  Network Security Center, The University of Chicago
>>  PGP: http://security.uchicago.edu/centerinfo/pgpkeys.shtml
>** Andy Johnston (andy at umbc.edu)          *            pager: 410-678-8949  **
>** Manager of IT Security                 * PGP key:(afj2002) 4096/8448B056 **
>** Office of Information Technology, UMBC *   4A B4 96 64 D9 B6 EF E3 21 9A **
>** 410-455-2583 (v)/410-455-1065 (f)      *   46 1A 37 11 F5 6C 84 48 B0 56 **

Tracey Losco
Network Security Analyst		security at nyu.edu
ITS - Network Services		http://www.nyu.edu/its/security
New York University			(212) 998 - 3433

PGP Fingerprint: 8FFB FE47 6156 7BF0  B19E 462B 9DFE 51F5

More information about the unisog mailing list