[39694] in North American Network Operators' Group
Re: Code Red : Any whitehouse.gov people around?
daemon@ATHENA.MIT.EDU (Etaoin Shrdlu)
Fri Jul 20 10:18:18 2001
Message-ID: <3B583BA1.AA58EF5E@deaddrop.org>
Date: Fri, 20 Jul 2001 07:09:37 -0700
From: Etaoin Shrdlu <shrdlu@deaddrop.org>
MIME-Version: 1.0
To: Nanog <nanog@merit.edu>
Cc: Sabri Berisha <sabri@bit.nl>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Errors-To: owner-nanog-outgoing@merit.edu
Sabri Berisha wrote:
>
> On Fri, 20 Jul 2001, Jasper Wallace wrote:
>
> > According to a recent post on bugtraq the worm is going to switch from
> > infecting webservers to DDOS'ing whitehouse.gov in about 1/2 an hour or so.
>
> Knowing that some of the colocated boxes in our network *might* be
> infected; I have placed a nullroute for 198.137.240.92 (the IP
> www.whitehouse.gov resolves to).
Wrong IP to blackhole. Oops. I've copied the bugtraq post below for
those of who are not subscribed, who might have missed it, or are
overwhelmed.
> > On Thu, 19 Jul 2001, Laurence Hand wrote:
>
> >
> > I believe the DDoS started an hour and a half ago, at 5:00 PDT (0:00 UTC,
> > the next day). I was getting 5-10 attempts an hour, and I've had 0
> > since 4:43:29 PDT.
> >
> > Folks will notice that www.whitehouse.gov is still accessible. The worm
> > authors only put in one IP address, the one for www1.whitehouse.gov. BBN
> > (who appears to be the provider for whitehouse.gov, according to my
> > tracert) has blocked that single IP address at their peering points. So
> > www2.whitehouse.gov is still running just fine.
> >
> > Presumably, www.whitehouse.gov used to be RR DNS between the two. Now,
> > www.whitehouse.gov resolves to just 198.137.240.92, and it has a TTL of
> > only 872.
> >
> > For a relatively clever worm, the author sure screwed up his target list.
> > Whoops.
Best to change that nullroute to www1.whitehouse.gov, and let up on
www2.
Name: www1.whitehouse.gov
Address: 198.137.240.91
Name: www2.whitehouse.gov
Address: 198.137.240.92
--
Powered by Guiness.
Feds never "take a vacation" from being a fed.
Aj Effin ReznoR
