Verisign Automated SelfLART

To: debate@xxxxxxxxxxxxxx
Subject: Verisign Automated SelfLART
From: Kristian Koehntopp <kris@xxxxxxxxxxxx>
Date: Fri, 19 Sep 2003 07:31:27 +0200
List-help: <mailto:debate-help@lists.fitug.de>
List-id: <debate.lists.fitug.de>
List-post: <mailto:debate@lists.fitug.de>
List-subscribe: <mailto:debate-subscribe@lists.fitug.de>
List-unsubscribe: <mailto:debate-unsubscribe@lists.fitug.de>
Mailing-list: contact debate-help@xxxxxxxxxxxxxx; run by ezmlm
User-agent: Mutt/1.4i

----- Forwarded message from Jeremy_Powell@xxxxxxxxxxxxxxx -----

Subject: Interesting interaction between Blaster worm variants and Verisign DNS 
change
Date: Thu, 18 Sep 2003 20:29:16 -0700
From: <Jeremy_Powell@xxxxxxxxxxxxxxx>
To: <nanog@xxxxxxxxx>

I think that an interesting interaction involving:

1) Blaster worm DDoS attack against windows update.
2) The default action of Windows 2000 and XP computers
to automatically append the domain name under "Network
Identification" or the suffix search list to DNS lookups.
3) The number of non-existent domains that exist in the
above settings.
4) The change that Verisign made so that all non-existent
domains resolve to 64.94.110.11

is the cause of the DDoS attack that Verisign is experiencing.

It is simple to reproduce 2-4.  Reconfigure any Windows 2000
computer or XP computer so that its domain name does not
exist or so that the first domain name in its domain suffix
search order does not exist and then do an nslookup.  It
will append the domain you added to your lookup and the result
of the lookup will be 64.94.110.11 if the domain you added
does not exist.  All that is needed next is a machine satisfying
this condition to have a variant of the Blaster worm that is
performing its DDoS against windowsupdate.com.  It will instead
sends its traffic to 64.94.110.11.  In a network of roughly
30,000 computers we have had 2 with this combination of troubles
already.

Jeremy Powell
San Bernardino County Superintendent of Schools

_________________________________________________________________________________

Statement of Confidentiality:  The contents of this e-mail message and any 
attachments are intended solely for the addressee.  The information may also be 
confidential and/or legally privileged.  This transmission is sent for the sole 
purpose of delivery to the intended recipient.  If you have received this 
transmission in error, any use, reproduction, or dissemination of this 
transmission is strictly prohibited.  If you are not the intended recipient, 
please immediately notify the sender by reply e-mail, send a copy to 
postmaster@xxxxxxxxxxxxxxx and delete this message and its attachments, if any.

E-mail is covered by the Electronic Communications Privacy Act, 18 USC SS 
2510-2521 and is legally privileged.  

Date Sent (d/m/yy): 18/9/2003  -  Sender: Jeremy_Powell@xxxxxxxxxxxxxxx

----- End forwarded message -----

-- 
To unsubscribe, e-mail: debate-unsubscribe@xxxxxxxxxxxxxx
For additional commands, e-mail: debate-help@xxxxxxxxxxxxxx

Follow-Ups:
- Re: Verisign Automated SelfLART
  - From: Florian Weimer

Prev by Date: Re: [FYI] Binäres XML -
Next by Date: Re: Verisign Automated SelfLART
Previous by thread: Re: Soll das patentierbar sein? Was soll patentierbar sein?
Next by thread: Re: Verisign Automated SelfLART
Index(es):
- Date
- Thread