[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [Full-Disclosure] MSBlast DDoS

To: "Jasper Blackwell" <jasper599@hotmail.com>, <full-disclosure@lists.netsys.com>
Subject: RE: [Full-Disclosure] MSBlast DDoS
From: "Chris Eagle" <cseagle@redshift.com>
Date: Wed, 13 Aug 2003 05:35:24 -0700

The DDoS packets should go straight to your firewall.  They are raw IP
packets crafted with the windowsupdate.com ip address as the destination,
not that of your proxy server, so they should be sent to your gateway
device.  The source IP is randomized in various ways so probably won't
appear to originate from within your network.  The source MAC should be
traceable back to the infected machine however.

Chris

-----Original Message-----
From: full-disclosure-admin@lists.netsys.com
[mailto:full-disclosure-admin@lists.netsys.com]On Behalf Of Jasper
Blackwell
Sent: Wednesday, August 13, 2003 12:03 AM
To: full-disclosure@lists.netsys.com
Subject: [Full-Disclosure] MSBlast DDoS


Does anyone know if the DoS which works on port 80, according to the Eeye
advisory, is going to go through the proxy servers or just straight to the
firewall? I would guess it will go through the proxy servers.

Also any clues what to look for on the firewall logs? Again if it goes
through the proxy servers I suppose looking for a lot of traffic from our
proxies to the windows update site, using TCP traffic.

Jasp


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Follow-Ups:
- Re: [Full-Disclosure] MSBlast DDoS
  - From: "Benjamin M.A. Robson" <brobson@fulcrum.com.au>

References:
- [Full-Disclosure] MSBlast DDoS
  - From: "Jasper Blackwell" <jasper599@hotmail.com>

Prev by Date: Re: [Full-Disclosure] PHP dlopen() -> Fun with apache (and other
Next by Date: Re: [Full-Disclosure] what to do
Prev by thread: [Full-Disclosure] MSBlast DDoS
Next by thread: Re: [Full-Disclosure] MSBlast DDoS
Index(es):
- Date
- Thread