Full Disclosure mailing list archives
Re: MSBlast DDoS
From: "Benjamin M.A. Robson" <brobson () fulcrum com au>
Date: Thu, 14 Aug 2003 00:08:52 +1000
This is almost right. The packets should go straight to the firewall and out to the Internet, unless there is a device (such as the firewall itself) performing some sort of NAT redirect for the purposes of a transparent proxy. If this is the case then the packets will be sent via the proxy, and if they are not properly formed HTTP commands (GET, HEAD, etc..) the proxy server should reject them as bogus.
So... If no transparent proxying, then straight out firewall. If transparent proxying exists, then via proxy servers.
BenR. Chris Eagle wrote:
The DDoS packets should go straight to your firewall. They are raw IP packets crafted with the windowsupdate.com ip address as the destination, not that of your proxy server, so they should be sent to your gateway device. The source IP is randomized in various ways so probably won't appear to originate from within your network. The source MAC should be traceable back to the infected machine however. Chris -----Original Message----- From: full-disclosure-admin () lists netsys com [mailto:full-disclosure-admin () lists netsys com]On Behalf Of Jasper Blackwell Sent: Wednesday, August 13, 2003 12:03 AM To: full-disclosure () lists netsys com Subject: [Full-disclosure] MSBlast DDoS Does anyone know if the DoS which works on port 80, according to the Eeye advisory, is going to go through the proxy servers or just straight to the firewall? I would guess it will go through the proxy servers. Also any clues what to look for on the firewall logs? Again if it goes through the proxy servers I suppose looking for a lot of traffic from our proxies to the windows update site, using TCP traffic. Jasp _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- MSBlast DDoS Jasper Blackwell (Aug 13)
- RE: MSBlast DDoS Chris Eagle (Aug 13)
- Re: MSBlast DDoS Benjamin M.A. Robson (Aug 13)
- Re: MSBlast DDoS Steffen Kluge (Aug 14)
- Re: MSBlast DDoS Benjamin M.A. Robson (Aug 13)
- RE: MSBlast DDoS Chris Eagle (Aug 13)