As far as I can see microsoft already fixed the situation, there won't be any dDoS. Can someone confirm this? The dns record of windowsupdate.com is empty/deleted.
To your question: this 127.0.0.1-thing is a very bad idea, because the worm will use spoofed source ip adresses from your local network. the machine itself (127.0.0.1) will flood RST-packets cause of the closed port through your local network (nice thing ;) And no: windowsupdate.microsoft.com is not needed as it is not resolved by the worm > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > Sent: Freitag, 15. August 2003 09:43 > To: [EMAIL PROTECTED]; [EMAIL PROTECTED] > Subject: AW: [Full-Disclosure] DDos counter measures > > > > Since our IntraNet solves all its DNS queries through > internal caches > > (mandatory bottleneck), we created windowsupdate.com & > > windowsupdate.microsoft.com zones in this bottleneck DNS. These are > > resolving to 127.0.0.1 with DNS wildcards. > > Is it necessary to add windowsupdate.microsoft.com to this? > So far, all analysis indicated that it attacks > windowsupdate.com, the old legacy site. Or did I miss something? > > > best regards / mit freundlichen Gruessen, > > Tom Vogt > Hansenet Webfarm Security > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
