[60543] in North American Network Operators' Group
Re: The impending DDoS storm
daemon@ATHENA.MIT.EDU (Mark Vallar)
Wed Aug 13 19:19:51 2003
From: "Mark Vallar" <mark@vallar.net>
To: <nanog@merit.edu>
Date: Wed, 13 Aug 2003 19:17:51 -0400
Errors-To: owner-nanog-outgoing@merit.edu
Jack Bates Wrote:
> I have no affiliation with Microsoft, nor do I care about their services
> or products. What I do care about is a worm that sends out packets
> uncontrolled. If there is the possibility that this "planned" DOS will
> cause issues with my topology, then I will do whatever it takes to stop
> it. The fact that user's can't reach windowsupdate.com is irrelevant.
>
There will most likely be issues with a lot of networks.
I had a glimpse of what is to come on the 16th on Tuesday. We have a
firewall customer that had an infected machine behind the firewall and the
RTC clock was set incorrectly to 8/16. The firewall was *logging* ~50
attempts per second trying to connect on port 80 to windowsupdate.com.
Since the worm was sending from a spoofed source address the firewall was
denying the packets. This customers network is a /24 out of traditional
Class B space and I was seeing random source addresses from almost every IP
out of the /16.
This is not a forensic analysis, just what I observed in the firewall logs.
Is it a coincidence that 8/16 is a Saturday....I think not. A lot less
personal on-site to deal with possible issues.
-Mark Vallar
