![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
doc_strangeShameful to say, I had to pull up a timezone map to figure out that... at 7AM Central time US, tomorrow, NZ will see the MSBlaster worm kicking off its flood at the windowsupdate.com website.
Upshot: companies with "just a few" infected hosts will see those hosts pound TCP SYN traffic at port 80 on windowsupdate.com as fast as they can. A single host can flood out a 100M ethernet segment, and ergo, just about any company's ourbound Internet capacity.
If you hadn't found all the infected hosts in your enterprise... you'll sure find them now.
Clever trick #1 that a number of people have discussed: The worm uses DNS to look up windowsupdate.com (which is, after all, dynamically load-balanced geographically with variable IP)... so no escape for MS -- Mr. Worm will find them yet! The clever trick is that companies with their own *internal* DNS can set up *.windowsupdate.com to resolve to 127.0.0.1. Infected hosts will just beat on themselves, causing no disruption.
The wave of worms activating their DoS mode will be highly reminiscent of the Y2K watch on new year's eve. Let's hope it's as uneventful.
Upshot: companies with "just a few" infected hosts will see those hosts pound TCP SYN traffic at port 80 on windowsupdate.com as fast as they can. A single host can flood out a 100M ethernet segment, and ergo, just about any company's ourbound Internet capacity.
If you hadn't found all the infected hosts in your enterprise... you'll sure find them now.
Clever trick #1 that a number of people have discussed: The worm uses DNS to look up windowsupdate.com (which is, after all, dynamically load-balanced geographically with variable IP)... so no escape for MS -- Mr. Worm will find them yet! The clever trick is that companies with their own *internal* DNS can set up *.windowsupdate.com to resolve to 127.0.0.1. Infected hosts will just beat on themselves, causing no disruption.
The wave of worms activating their DoS mode will be highly reminiscent of the Y2K watch on new year's eve. Let's hope it's as uneventful.
![[identity profile]](https://www.dreamwidth.org/img/silk/identity/openid.png){kind=small}
MS
Date: 2003-08-15 05:41 am (UTC)hee hee
It rubs off.
Re: MS
Date: 2003-08-15 07:30 pm (UTC)Then again, it's about time. What will these companies do when the next fast worm exploits a 0-day?
(no subject)
Date: 2003-08-15 05:27 pm (UTC)Currently, windows update goes to something4.windowsupdate.microsoft.com, which is sitting on an Alkama server. Running Linux, apparently. Making the Linux people giggle with glee. I'm sure slashdork is covered with victory chants and all (although my local slashdork hasn't been annoying me with cries of victory, so maybe not.)
The interesting thing being the removal of the domain, and the fact that they DID do something to have it work if the domain dissapeared for whatever reason.
What I'll be interested to see is if the new wormages look to that, i.e. reverse the windowsupdate program code...