But doesn't that mean the hacker won?
If you change the DNS and a user can not get to
windowsupdate, you just helped him create a better
DoS than he had...
J
McBurnett, Jim wrote:
But doesn't that mean the hacker won?
If you change the DNS and a user can not get to windowsupdate, you just helped him create a better
DoS than he had...
I have no affiliation with Microsoft, nor do I care about their services or products. What I do care about is a worm that sends out packets uncontrolled. If there is the possibility that this "planned" DOS will cause issues with my topology, then I will do whatever it takes to stop it. The fact that user's can't reach windowsupdate.com is irrelevant.
-Jack
Jack Bates Wrote:
I have no affiliation with Microsoft, nor do I care about their services
or products. What I do care about is a worm that sends out packets
uncontrolled. If there is the possibility that this "planned" DOS will
cause issues with my topology, then I will do whatever it takes to stop
it. The fact that user's can't reach windowsupdate.com is irrelevant.
There will most likely be issues with a lot of networks.
I had a glimpse of what is to come on the 16th on Tuesday. We have a
firewall customer that had an infected machine behind the firewall and the
RTC clock was set incorrectly to 8/16. The firewall was *logging* ~50
attempts per second trying to connect on port 80 to windowsupdate.com.
Since the worm was sending from a spoofed source address the firewall was
denying the packets. This customers network is a /24 out of traditional
Class B space and I was seeing random source addresses from almost every IP
out of the /16.
This is not a forensic analysis, just what I observed in the firewall logs.
Is it a coincidence that 8/16 is a Saturday....I think not. A lot less
personal on-site to deal with possible issues.
-Mark Vallar