[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

AW: [Full-Disclosure] MS should point windowsupdate.com to 127.0.0.1

To: oetiker@ee.ethz.ch, full-disclosure@lists.netsys.com
Subject: AW: [Full-Disclosure] MS should point windowsupdate.com to 127.0.0.1
From: Carsten.Truckenbrodt@Bertelsmann.de
Date: Fri, 15 Aug 2003 08:33:57 +0200

Hi,

This might be a bad idea. If you let windowsupdate.com resolve to 127.0.0.1
the following will happen: The worm uses spoofed IPs from the local /16
subnet as source address. Pointing all the syn packets to 127.0.0.1 will
generate a RST packet from the local host to the spoofed IPs  and spread
traffic over the complete internal network.

Even blocking or routing the normally resolved IP to Null0 will be a lot
work because this domain is loadbalanced through the world. That means you
get a different resolution depending on your ISP or place in the world.

If you manipulate your DNS, you should give no A-Record back to the worm.
With this the worm will not start attacking anything. So setting up a
nameserver zone with only a SOA record will do the job for Saturday 0:00.

Best Regards,

Carsten Truckenbrodt
Arvato systems Network Security

-----Ursprüngliche Nachricht-----
Von: Tobias Oetiker [mailto:oetiker@ee.ethz.ch] 
Gesendet: Freitag, 15. August 2003 00:15
An: full-disclosure@lists.netsys.com
Cc: security@microsoft.com
Betreff: [Full-Disclosure] MS should point windowsupdate.com to 127.0.0.1


Folks,

How about MS standing up for the mess, and changing their own DNS to point
all request for windowsupdate.com and whatnot to 127.0.01 ?

This will null the effect of the syn flood very effectively. Only proxies
will be affected.

As far as I see it, they will not be able to use these names productively
for the foreseeable future anyways ...

So they will have to issue an update for windows-updater thourgh other
channels (like their homepage for example) to point it to a different
web-site .. that should not be all that much of a problem.

If MS does NOT make this change to their DNS, I can see many routers who are
trying to track connections toppling over in interesting ways.

Because the local techs have no clue, it will
take the affected companies ages to get back on the net.

tobi
-- 
 ______    __   _
/_  __/_  / /  (_) Oetiker @ ISG.EE, ETZ J97, ETH, CH-8092 Zurich  / // _ \/
_ \/ /  System Manager, Time Lord, Coder, Designer, Coach
/_/ \.__/_.__/_/   http://people.ee.ethz.ch/~oetiker   +41(0)1-632-5286
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Prev by Date: [Full-Disclosure] Re: New Blaster variant using UDP port 1038?
Next by Date: Re: [Full-Disclosure] DDos counter measures
Prev by thread: [Full-Disclosure] Re: New Blaster variant using UDP port 1038?
Next by thread: [Full-Disclosure] power grid vulnerable to buffer overflow?
Index(es):
- Date
- Thread