[67037] in North American Network Operators' Group
Re: Impending (mydoom) DOS attack
daemon@ATHENA.MIT.EDU (Laurence F. Sheldon, Jr.)
Sat Jan 31 18:48:50 2004
Date: Sat, 31 Jan 2004 17:48:13 -0600
From: "Laurence F. Sheldon, Jr." <larrysheldon@cox.net>
To: nanog@merit.edu
Errors-To: owner-nanog-outgoing@merit.edu
I believe there is major and perhaps fatal flaw in this analysis.
Valdis.Kletnieks@vt.edu wrote:
>
> On Sat, 31 Jan 2004 18:24:42 GMT, "Stephen J. Wilcox" said:
> > I'm not sure what the point of the DoS is if its intended to be a spam engine,
> > that would have the effect of helping to identify and hence clean up the
> > infections.
>
> Ahh.. you didn't take the time to think it through. ;)
>
> Consider - the perpetrator releases a *very* noisy worm with a DDoS engine
> on it (admittedly buggy). Then you go on vacation someplace warm and sunny,
> where visually attractive people of your preferred gender are walking around
> wearing a lot more than you need to wear where you were...
^^^^
The analysis works if that was the word "less".
>
> Computers catch it. Computers spew it. Computers do their DDoS tapdance.
> Hopefully users and ISP staff notice and take action.
>
> Then 3 weeks later, you come back, tanned and rested - and run another
> scan. If you find your spam backdoor on port 3127 *still* open on a
> machine, you can be fairly sure you can spam away with impunity - if the
> user and their ISP didn't notice the box spewing mail the FIRST time, they
> won't notice the second time.....
I doubt that the length of 3 is important. Based on my past
experience "Then 3 weeks later" can be replaced by "Some time later when
the cold is gone".
