FYI - we tried this with the worm and it *doesn't* work. msblast.exe spoofed the source address as the loopback address handed out from our DNS. We instead created an empty windowsupdate.com zone.
- Matt > All, > > We found a simple solution to protect our IntraNet against the DDoS. > > Since the msblast.exe will SYN flood windowsupdate.com (or > windowsupdate.microsoft.com) with 50 packets per second (according to our > tests). > > Since our IntraNet solves all its DNS queries through internal caches > (mandatory bottleneck), we created windowsupdate.com & > windowsupdate.microsoft.com zones in this bottleneck DNS. These are > resolving to 127.0.0.1 with DNS wildcards. > > After the Microsoft DNS TTL has expired (15 minutes is the worst TTL), we > got confirm all known windowsupdate domains hosts (www.windowsupdate.com, > windowsupdate.microsoft.com, v3.windowsupdate.microsoft.com & > v4.windowsupdate.microsoft.com) were resolved to localhost. > > We expect now the worm to flood the box it is hosted on and so preserving > our IntraNet. > > Hope this can help others. > > Brgrds > > Laurent LEVIER > Equant Information Technology & Systems - Equant Security Organization - > Internal Network (WAN IntraNet) - Systems & Networks Security Expert > Tel. CVN : 7223-1912, ext. (+33) 4 92 38 19 12 > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html > -- Matthew Lange, CISSP 763-633-0100 home _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
