[Full-Disclosure] MSBlast DDoS

["Jasper Blackwell" <jasper599@hotmail.com>]

Hi All,

I should have kept on reading the list after TC's post and I would have 
found the answer to my question, doh :). It's early here and I hadn't had 
any caffine yet, always a bad idea trying to think before my morning caffine 
:).

Anyway another question for you all. We are having some success here 
tracking infected machines by looking for dropped 135 connection attempts to 
Internet IP addresses on our Internet firewall log. I am wondering what the 
DoS traffic is going to look like on our firewall logs should any infections 
still be with us on the 16th. Our setup requires PCs to connect to the 
Internet through proxy servers and those proxy servers IP addresses are 
allowed through the firewall, the PC's IP address ranges are not.

Does anyone know if the DoS which works on port 80, according to the Eeye 
advisory, is going to go through the proxy servers or just straight to the 
firewall? I would guess it will go through the proxy servers.

Also any clues what to look for on the firewall logs? Again if it goes 
through the proxy servers I suppose looking for a lot of traffic from our 
proxies to the windows update site, using TCP traffic.

Jasp

_________________________________________________________________
Hotmail messages direct to your mobile phone http://www.msn.co.uk/msnmobile

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html