Countdown

Shameful to say, I had to pull up a timezone map to figure out that... at 7AM Central time US, tomorrow, NZ will see the MSBlaster worm kicking off its flood at the windowsupdate.com website.

Upshot: companies with "just a few" infected hosts will see those hosts pound TCP SYN traffic at port 80 on windowsupdate.com as fast as they can. A single host can flood out a 100M ethernet segment, and ergo, just about any company's ourbound Internet capacity.

If you hadn't found all the infected hosts in your enterprise... you'll sure find them now.

Clever trick #1 that a number of people have discussed: The worm uses DNS to look up windowsupdate.com (which is, after all, dynamically load-balanced geographically with variable IP)... so no escape for MS -- Mr. Worm will find them yet! The clever trick is that companies with their own *internal* DNS can set up *.windowsupdate.com to resolve to 127.0.0.1. Infected hosts will just beat on themselves, causing no disruption.

The wave of worms activating their DoS mode will be highly reminiscent of the Y2K watch on new year's eve. Let's hope it's as uneventful.