Impending (mydoom) DOS attack

Is anyone taking any special precautions given the potential for a sudden increase in aggregate packets per second across your networks come Sunday afternoon when the original Mydoom virus enters into its DOS phase?

Does anyone know if the virus’ assault will be slowed if it is unable to reach www.sco.com? I am hoping that if it cannot reach SCO’s site that the HTTP GET command will be slow in returning, effectively reducing the volume of traffic a single PC is capable is generating. I am having a difficult time artificially forcing the virus to start its attack in a lab environment, so I am unable to confirm this.

Any input would be appreciated. Thanks!

I believe the only route to SCO comes via us, XO, to a customer of ours who
provides bandwidth to SCO. We've been in contact with our customer and they
have been in contact with SCO, discussing precautions we can take. I think
we're relaying the results of those discussions to our major peers. Since
I'm not directly involved, I will say no more...but at least you know we
are trying to do something..

I would gather that you are correct in that if SCO's site cannot be reached..
in a way that connections have to 'time out', it would reduce the volume of
traffic and the rate of packets. Windows would be waiting for the SYN ACK
and not looping very quickly..

- Chris

Having looked for some information to educate myself and my employer,
I will say a weakness right now is that there is limited info about
this worm. I have yet to see any good information on how effective
the attack might be, or what some basic prevention steps (eg
filtering) might do to the worm.

Backbones don't often have people that disassemble worms. It would
be nice to find some way for the anti-virus companies to share more
details quicker with various backbones in order to effectively
combat the DDOS portion of worms.

If anyone has any good analysis on the current worm (other than "it
attacks www.sco.com"), that would be welcome.

I think we should help out SCO by creating new wildcard entries into our DNS
servers that point *.sco.com to 127.0.0.1 as well as blackholing all SCO
SWIPd IP Address Space.

<a****le mode>
We should also never remove the above.
</a****le mode>

In a message written on Fri, Jan 30, 2004 at 04:18:05PM -0800, Donovan Hill wrote:

I think we should help out SCO by creating new wildcard entries into our DNS
servers that point *.sco.com to 127.0.0.1 as well as blackholing all SCO
SWIPd IP Address Space.

I'm going to be one of the last people who will defend SCO recent
actions. However, as much as I hate, and hate is the word, SCO I
feel the need to speak up after your comments.

Bruce Perens has said it far better than I ever could at
http://perens.com/SCO/DOS/. Please read what he has to say.

We (Open Source, ISPs, etc) must, MUST, come to SCO's defense on
this one. I am doing what I can with my employer to do just that.
Allowing attacks like this to succeed, either directly or indirectly
is far more harmful than allowing SCO to stay online. We cannot
condone these actions for any reason, the end does not justify the
means in the case of worms.

Yep, the information gap is pretty big on this one. Neither the
anti-virus vendors nor the ex-Symantec guy at Homeland Security
seems to be releasing much details how the virus actually behaves
on the network. Lots of information about changing Windows
registries, but not much about how often it checks or loads
the network.

Some people say they've gotten it to do something in the lab, other
people report its a dud. I can't tell what the difference is.

Leo Bicknell wrote:

Bruce Perens has said it far better than I ever could at
http://perens.com/SCO/DOS/. Please read what he has to say.

We (Open Source, ISPs, etc) must, MUST, come to SCO's defense on
this one. I am doing what I can with my employer to do just that.

I agree both with Mr. Bicknell, and with Mr. Perens for the
reasons given.

I believe further that condemning this attack and doing what we
can to thwart it are simply the right things to do.

Are there any reliable estimates as to the amount of infected hosts out there? Looking at my stats for email sent this week, I am seeing a 70:1 ratio for mydoom.a as compared to Swen.a (the next most prevalent virus). Perhaps if we had some rough #s to work with we could start to approximate the range of traffic volumes we might see.

         ---Mike

Reliable? Not really.

McAfee's global virus statistics say 17% of all scanned computers were
infected by W32/Mydoom.a.

But I don't believe that number, because it is wildly different than
other metrics. A lot of users have experienced the MyDoom file being
on their computer (e.g. through a mail message). But I don't think
that represents the number of people which clicked and executed
the file, infecting their computer.

In a message written on Fri, Jan 30, 2004 at 04:18:05PM -0800, Donovan Hill

wrote:

> I think we should help out SCO by creating new wildcard entries into our
> DNS servers that point *.sco.com to 127.0.0.1 as well as blackholing all
> SCO SWIPd IP Address Space.

I'm going to be one of the last people who will defend SCO recent
actions. However, as much as I hate, and hate is the word, SCO I
feel the need to speak up after your comments.

Bruce Perens has said it far better than I ever could at
http://perens.com/SCO/DOS/. Please read what he has to say.

We (Open Source, ISPs, etc) must, MUST, come to SCO's defense on
this one. I am doing what I can with my employer to do just that.
Allowing attacks like this to succeed, either directly or indirectly
is far more harmful than allowing SCO to stay online. We cannot
condone these actions for any reason, the end does not justify the
means in the case of worms.

Please don't misunderstand me. I in no way condone or encourage DoS attacking
SCO/Caldera (or anyone for that matter). To my mind, that'd be like
encouraging one group of people to attack another group of people for any
reason. It's certainly not acceptable.

My comments were meant in partial jest and partial frustration. Jest as a
solution to the pending DDOS and frustration that SCO will spin this as an
attack by the Linux community against SCO, which it is not. I apologize if I
didn't make that clear.

For the record, I fully believe that this worm (both variants) is designed to
attack high profile targets in order to take the focus off of it's spamming
capability and create uncertainty as to what group actually authored the
worm. It is my firm belief that this worm was written by spammers for the
purpose creating spam relays.

Also, for the record, I believe everyone has the right to say what they will
regardless of legitimacy, and this does include SCO.

Again, I apologize if I gave the wrong impression that the pending DDOS attack
on SCO was a good thing. It's not.

For the record, I fully believe that this worm (both variants) is designed to
attack high profile targets in order to take the focus off of it's spamming
capability and create uncertainty as to what group actually authored the
worm. It is my firm belief that this worm was written by spammers for the
purpose creating spam relays.

I'm not sure what the point of the DoS is if its intended to be a spam engine,
that would have the effect of helping to identify and hence clean up the
infections.

Of course we're guessing about the spam connection, it doesnt have a spam engine
in it, the mail capabilities are purely to redistribute itself... to do spam you
need to add the engine via the backdoor.

I'm tempted to think its nothing more than a bot and the backdoor is to allow
the controller to go in and change its target. The DoS engine isnt that well
written tho, this is odd too...

Oh well, I guess we'll see tomoro!

Steve

Ahh.. you didn't take the time to think it through.

Consider - the perpetrator releases a *very* noisy worm with a DDoS engine
on it (admittedly buggy). Then you go on vacation someplace warm and sunny,
where visually attractive people of your preferred gender are walking around
wearing a lot more than you need to wear where you were...

Computers catch it. Computers spew it. Computers do their DDoS tapdance.
Hopefully users and ISP staff notice and take action.

Then 3 weeks later, you come back, tanned and rested - and run another
scan. If you find your spam backdoor on port 3127 *still* open on a
machine, you can be fairly sure you can spam away with impunity - if the
user and their ISP didn't notice the box spewing mail the FIRST time, they
won't notice the second time.....

I believe there is major and perhaps fatal flaw in this analysis.

> I'm not sure what the point of the DoS is if its intended to be a spam engine,
> that would have the effect of helping to identify and hence clean up the
> infections.

Ahh.. you didn't take the time to think it through.

Consider - the perpetrator releases a *very* noisy worm with a DDoS engine
on it (admittedly buggy). Then you go on vacation someplace warm and sunny,
where visually attractive people of your preferred gender are walking around
wearing a lot more than you need to wear where you were...

                ^^^^

The analysis works if that was the word "less".

Computers catch it. Computers spew it. Computers do their DDoS tapdance.
Hopefully users and ISP staff notice and take action.

Then 3 weeks later, you come back, tanned and rested - and run another
scan. If you find your spam backdoor on port 3127 *still* open on a
machine, you can be fairly sure you can spam away with impunity - if the
user and their ISP didn't notice the box spewing mail the FIRST time, they
won't notice the second time.....

I doubt that the length of 3 is important. Based on my past
experience "Then 3 weeks later" can be replaced by "Some time later when
the cold is gone".

The analysis works if that was the word "less".

D'oh!

I doubt that the length of 3 is important. Based on my past
experience "Then 3 weeks later" can be replaced by "Some time later when
the cold is gone".

Locally, I'm looking at a low of 7F tonight, with wind chills well below
zero, and the National Weather Service says Monday night we have "freezing
rain, with snow and sleet north of Highway 460". Great, I live 2 blocks
*south* of 460..

Anybody got recommendations on warm places that have good bandwidth to
the beach?

http://pacific.bizjournals.com/pacific/stories/2002/05/27/daily35.html
It will mean instant high-speed Web access in rooms, poolside, or oceanside. "(We) will be able to offer laptop computers with
Internet access and virtual office guest rooms," Hyatt Regency Maui GM Barry Lewin said.

http://www.mauiembassy.com/amenities.html

http://www.mauiskyfiber.com/pricing.html