The DDoS packets should go straight to your firewall. They are raw IP packets crafted with the windowsupdate.com ip address as the destination, not that of your proxy server, so they should be sent to your gateway device. The source IP is randomized in various ways so probably won't appear to originate from within your network. The source MAC should be traceable back to the infected machine however.
Chris -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Jasper Blackwell Sent: Wednesday, August 13, 2003 12:03 AM To: [EMAIL PROTECTED] Subject: [Full-Disclosure] MSBlast DDoS Does anyone know if the DoS which works on port 80, according to the Eeye advisory, is going to go through the proxy servers or just straight to the firewall? I would guess it will go through the proxy servers. Also any clues what to look for on the firewall logs? Again if it goes through the proxy servers I suppose looking for a lot of traffic from our proxies to the windows update site, using TCP traffic. Jasp _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
