It kinda looks like the virus or whatever it is, is spoofing
source IP.
Now I am seeing lots of spoofed packets trying to egress out of
our network.
We are filtering egress traffic so obviously its being dropped at
edge of course...
Just cleared access-list counter about a minute or so ago an
Yes, we are starting to see this as well. We are filtering at the edge, so
the bogus packets are not getting out.
We have a /19 of 64.7.128.0/19 and 64.7.229.241 is totally bogus for our
network.
Aug 14 21:59:16 telus-151front /kernel: ipfw: 3 Deny TCP
64.7.229.241:1069 204.79.188.11:80
Is anyone else seeing backscatters on your network about windowsupdate.com's IP?
Someone who transits through 65.123.21.137 router is sending out lots of packets
to 204.79.188.11 (windowsupdate.com) in which its not currently advertised to
internet as we speak. Not to mention, packets seem to be
Dan Hollis wrote:
On Wed, 13 Aug 2003, Jason Frisvold wrote:
If the blaster cannot get a proper DNS response, it continues to
replicate via port 135... It then goes into a retry cycle and continues
to try to get a good DNS lookup.
has anyone tried tarpitting eg labrea to slow the worm?
Oh yeah, La
> What is everyone doing, if anything, to prevent the apparent upcoming
> DDoS attack against Microsoft?
let's go shopping!
On Wed, 2003-08-13 at 10:55, Ingevaldson, Dan (ISS Atlanta) wrote:
-Does one DNS lookup on "windowsupdate.com" and then uses the IP
No, I wouldn't dream of setting windowsupdate.com to 127.0.0.1. Who in
their right mind would do that?
-Jack
Since no one has brought it up yet, wouldn't it be just dandy if rev 2 of
this worm attacked different stuff? Call it the perfect storm, RPC
vulnerability used to whack infrastrcture. It doesn't take long to think of
the perfect combinations since this thing was cut and pasted together.
> has anyone tried tarpitting eg labrea to slow the worm?
I have been using my Linux kernel module ipt_TARPIT (included in the latest
netfilter.org patch-o-matic release) to do this for any IPs on my network
lacking a route, including outbound from my customers and inbound to my
unused address sp
On Wed, 13 Aug 2003, Jason Frisvold wrote:
> All,
>
> What is everyone doing, if anything, to prevent the apparent upcoming
> DDoS attack against Microsoft? From what I've been reading, and what
> I've been told, August 16th is the apparent start date...
>
> We're looking for some
es
Cc: [EMAIL PROTECTED]
Subject: Re: The impending DDoS storm
Does anyone have any notion of what the Blaster worm will do if the
DNS lookup for "windowsupdate.com" returns NXDOMAIN? If it handles this
case by not sending any micreant love, might that not be the best way
to mitigate the p
rity Systems, Inc.
> The Power to Protect
> http://www.iss.net
> ===
>
>
> -Original Message-
> From: Jason Frisvold [mailto:[EMAIL PROTECTED]
> Sent: Wednesday, August 13, 2003 10:50 AM
> To: Ingevaldson, Dan (ISS Atlanta)
> Cc: Stephen J. Wilcox
ates wrote:
> Date: Wed, 13 Aug 2003 11:10:13 -0500
> From: Jack Bates <[EMAIL PROTECTED]>
> To: Jason Frisvold <[EMAIL PROTECTED]>
> Cc: "Ingevaldson, Dan (ISS Atlanta)" <[EMAIL PROTECTED]>,
> Stephen J. Wilcox <[EMAIL PROTECTED]>, [EMAIL PROTEC
; Sent: Wednesday, August 13, 2003 10:38 AM
> To: Jason Frisvold
> Cc: [EMAIL PROTECTED]
> Subject: Re: The impending DDoS storm
>
>
>
>
> On Wed, 13 Aug 2003, Jason Frisvold wrote:
>
> > All,
> >
> > What is everyone doing, if anything, to preven
EMAIL PROTECTED]
Subject: Re: The impending DDoS storm
Jack Bates Wrote:
> I have no affiliation with Microsoft, nor do I care about their
> services or products. What I do care about is a worm that sends out
> packets uncontrolled. If there is the possibility that this "planned"
--On Thursday, August 14, 2003 11:24:53 AM -0400 Josh Fleishman
<[EMAIL PROTECTED]> wrote:
Has anyone determined a method for triggering the DOS attack manually?
We've attempted this by changing an infected machine's clock, however it
did not work on our test box. If anyone has triggered the att
Today at 11:24 (-0400), Josh Fleishman wrote:
> Date: Thu, 14 Aug 2003 11:24:53 -0400
> From: Josh Fleishman <[EMAIL PROTECTED]>
> To: [EMAIL PROTECTED]
> Subject: RE: The impending DDoS storm
>
> Has anyone determined a method for triggering the DOS attack manually?
&
On Wed, 13 Aug 2003, Jason Frisvold wrote:
> If the blaster cannot get a proper DNS response, it continues to
> replicate via port 135... It then goes into a retry cycle and continues
> to try to get a good DNS lookup.
has anyone tried tarpitting eg labrea to slow the worm?
-Dan
--
[-] Omae no
PM
To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: Re: The impending DDoS storm
http://www.dslreports.com/forum/remark,7652257~root=security,1~mode=flat;sta
rt=0
- Original Message -
From: "Josh Fleishman" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, Augu
ug 2003 11:10:13 -0500
> > From: Jack Bates <[EMAIL PROTECTED]>
> > To: Jason Frisvold <[EMAIL PROTECTED]>
> > Cc: "Ingevaldson, Dan (ISS Atlanta)" <[EMAIL PROTECTED]>,
> > Stephen J. Wilcox <[EMAIL PROTECTED]>, [EMAIL PROTECTED]
>
http://www.dslreports.com/forum/remark,7652257~root=security,1~mode=flat;start=0
- Original Message -
From: "Josh Fleishman" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, August 14, 2003 5:24 AM
Subject: RE: The impending DDoS storm
>
>
All,
What is everyone doing, if anything, to prevent the apparent upcoming
DDoS attack against Microsoft? From what I've been reading, and what
I've been told, August 16th is the apparent start date...
We're looking for some solution to prevent wasting our network
resources trans
Jack Bates Wrote:
> I have no affiliation with Microsoft, nor do I care about their services
> or products. What I do care about is a worm that sends out packets
> uncontrolled. If there is the possibility that this "planned" DOS will
> cause issues with my topology, then I will do whatever it t
McBurnett, Jim wrote:
But doesn't that mean the hacker won?
If you change the DNS and a user can not get to
windowsupdate, you just helped him create a better
DoS than he had...
I have no affiliation with Microsoft, nor do I care about their services
or products. What I do care about is a worm
23 matches
Mail list logo