[67063] in North American Network Operators' Group
Re: Did Wanadoo, French ISP, block access to SCO?
daemon@ATHENA.MIT.EDU (Rubens Kuhl Jr.)
Sun Feb 1 18:25:00 2004
Reply-To: "Rubens Kuhl Jr." <rubens@email.com>
From: "Rubens Kuhl Jr." <rubens@email.com>
To: <Valdis.Kletnieks@vt.edu>
Cc: <nanog@merit.edu>
Date: Sun, 1 Feb 2004 21:24:07 -0200
Errors-To: owner-nanog-outgoing@merit.edu
Just drop the www.sco.com DNS record, as they did... this particular worm
goes after the URL, not the IP it usually had.
>nslookup www.sco.com
*** can't find www.sco.com: Non-existent domain
>nslookup www.caldera.com
Non-authoritative answer:
Name: www.caldera.com
Address: 216.250.128.12
Rubens
----- Original Message -----
From: <Valdis.Kletnieks@vt.edu>
To: "Rubens Kuhl Jr." <rubens@email.com>
Cc: <hackerwacker@cybermesa.com>; <nanog@merit.edu>
Sent: Sunday, February 01, 2004 9:09 PM
Subject: Re: Did Wanadoo, French ISP, block access to SCO?
On Sun, 01 Feb 2004 20:00:40 -0200, "Rubens Kuhl Jr." <rubens@email.com>
said:
>
> And by blackholing that IP they've also blackholed www.caldera.com, which
is
> currently not a DDoS target but is also not respondig to requests.
Umm,, I'll bite. If www.sco.com and www.caldera.com are on the same IP,
how do you create a DDoS that wouldn't take out the Caldera site as well?
A sheer-traffic DDoS will hurt both. A synflood will hurt both.
The webserver that's listening on port 80 doesn't know which site
is being connected to until it actually reads in the HTTP/1.1 headers and
looks at the Host: tag - and if there's enough things arriving with
'Host: www.sco.com', it will require some *very* creative filtering/limiting
to keep one website working while the other is down....
