[67068] in North American Network Operators' Group
Re: Did Wanadoo, French ISP, block access to SCO?
daemon@ATHENA.MIT.EDU (Stephen J. Wilcox)
Sun Feb 1 19:48:58 2004
Date: Mon, 2 Feb 2004 00:48:19 +0000 (GMT)
From: "Stephen J. Wilcox" <steve@telecomplete.co.uk>
To: "Rubens Kuhl Jr." <rubens@email.com>
Cc: Valdis.Kletnieks@vt.edu, <nanog@merit.edu>
In-Reply-To: <091a01c3e91a$7f3cac10$020ba8c0@NOTEBOOK>
Errors-To: owner-nanog-outgoing@merit.edu
So thats 1-0 to the worm!
You could do some real cool things if you were controlling the DNS for a site
under a major sustained DDoS, who doesnt the intended victim like.. just fire up
an A record and they're gone! ;p
Btw I'm seeing www.caldera.com disappear into Level3, seems theyre down.
Steve
On Sun, 1 Feb 2004, Rubens Kuhl Jr. wrote:
>
> Just drop the www.sco.com DNS record, as they did... this particular worm
> goes after the URL, not the IP it usually had.
>
> >nslookup www.sco.com
>
> *** can't find www.sco.com: Non-existent domain
>
> >nslookup www.caldera.com
>
> Non-authoritative answer:
> Name: www.caldera.com
> Address: 216.250.128.12
>
>
>
> Rubens
>
>
>
> ----- Original Message -----
> From: <Valdis.Kletnieks@vt.edu>
> To: "Rubens Kuhl Jr." <rubens@email.com>
> Cc: <hackerwacker@cybermesa.com>; <nanog@merit.edu>
> Sent: Sunday, February 01, 2004 9:09 PM
> Subject: Re: Did Wanadoo, French ISP, block access to SCO?
>
> On Sun, 01 Feb 2004 20:00:40 -0200, "Rubens Kuhl Jr." <rubens@email.com>
> said:
> >
> > And by blackholing that IP they've also blackholed www.caldera.com, which
> is
> > currently not a DDoS target but is also not respondig to requests.
>
> Umm,, I'll bite. If www.sco.com and www.caldera.com are on the same IP,
> how do you create a DDoS that wouldn't take out the Caldera site as well?
>
> A sheer-traffic DDoS will hurt both. A synflood will hurt both.
>
> The webserver that's listening on port 80 doesn't know which site
> is being connected to until it actually reads in the HTTP/1.1 headers and
> looks at the Host: tag - and if there's enough things arriving with
> 'Host: www.sco.com', it will require some *very* creative filtering/limiting
> to keep one website working while the other is down....
>
>
