[unisog] Blaster DDOS potential

Peter Van Epp vanepp at sfu.ca
Fri Aug 15 02:02:47 GMT 2003


On Thu, Aug 14, 2003 at 10:16:16AM -0400, Ed Gibson wrote:
> Hello everyone
> 
> This mornings discussions around the water fountain brought forth
> concern about excessive DDOS traffic being thrown outbound this weekend.
> Trendmicros overview of the virus indicates that it is coded to through
> DDOS at windowsupdate.com starting on August 16th. i.e. After midnight
> Friday.... Obviously something we don't want ot spend our weekend
> reacting to. While were cornering as best we can, the remaining Blasters
> were entertaining the idea of hijacking the DNS entry for
> windowsupdate.com and pointing it towards a bit bucket at least until
> Monday morning.
> 
> Thoughts/comments?
> 
> Ed Gibson
> University of Western Ontario
> Network Operations
> 

	For those of us with inline wireless authentication (Vernier/Blue Socket
et. al.) route the entire windowsupdate netblock at an authentication port
behind the authentication box. The box will redirect to an internal web server 
(at least Vernier does) and if the user autheniticates it will transparently
proxy the connection through to the real Microsoft site (assuming it is still
up of course). If its the worm come calling it won't make it through the box
and (again at least in the Vernier case) the MAC address of the machine 
connecting will be logged in syslog (until the Vernier box overloads, if it 
does, when that task falls back on argus sitting on the input to the Vernier
box :-)). That will at least keep trouble within your borders but allow legit 
access if its possible to do so for your users and give you the MAC address of
machines that need to be whacked.

Peter Van Epp / Operations and Technical Support 
Simon Fraser University, Burnaby, B.C. Canada



More information about the unisog mailing list