[39653] in North American Network Operators' Group
Code Red : Any whitehouse.gov people around?
daemon@ATHENA.MIT.EDU (Jasper Wallace)
Thu Jul 19 19:41:42 2001
Date: Fri, 20 Jul 2001 00:41:06 +0100 (BST)
From: Jasper Wallace <jasper@ivision.co.uk>
To: <nanog@merit.edu>
Message-ID: <Pine.GSO.4.30.0107200031350.27811-100000@avengers>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Errors-To: owner-nanog-outgoing@merit.edu
According to a recent post on bugtraq the worm is going to switch from
infecting webservers to DDOS'ing whitehouse.gov in about 1/2 an hour or so.
Now i'm not certain if the worm has a hardcoded ip to attack or will do a
DNS lookup for whitehouse.gov, but if it is going to do a dns lookup then
they've still got a chance to change the A records in their dns records to
something else, like 127.0.0.1.
Unfortunatly this will make it hard for people to track down and fix
infected boxes, so if they could use an ip in a non-routable block,
that's unlickley to be used for anything else, e.g. 192.0.2.1, which in
on the 'TEST-NET', or possible on 192.0.0.1, which is on the range HP
use for printer auto configuration (they only use 192.0.0.192).
The TTL on the A RR for whitehouse.gov is 24 hours unfortunatly. :-(
--
Internet Vision Internet Consultancy Tel: 020 7589 4500
60 Albert Court & Web development Fax: 020 7589 4522
Prince Consort Road vision@ivision.co.uk
London SW7 2BE http://www.ivision.co.uk/
