[scg-sec] Sco.com
Jared Mauch
jared at puck.nether.net
Tue Jan 27 20:35:43 EST 2004
On Tue, Jan 27, 2004 at 08:26:24PM -0500, Sean Donelan wrote:
> What type of network impact are we actually expecting. Www.sco.com may
> get knocked off the air, but the attack itself appears to be TCP SYN
> limited. The attack computers appear to throw a bunch of SYNs and then
> stall waiting for a responses.
Well, I would say this depends on the infection rate.
This is fairly nasty as it sticks itself in a number of startup
locations.
> I know the attack isn't going to start in ernest until Feb 1, but even
> with clock scew there isn't a whole lot of network traffic. If SCO
> akamized their web site, I might be more concerned, because Akamai has
> enough bandwidth to DoS the attackers back just by responding to the
> requests.
;-)
> Other than blackholing www.sco.com traffic, either SCO abandons the
> domain or we sink the IP traffic, what can we really offer? Get our
> customers to fix their computers before February 1?
Well, getting the customers to fix their computers is a
good first start.
SCO might agree to allow us all to sinkhole the traffic
on our network for part of the 1st or just prior in order to allow
us to find the infected sources within our network.
We could also try and match on the http get datagram
since most real web browsers send a user-agent, anyone know of
creative ways to dump the possibly 'bad' traffic? (ie: like
dropping 92-byte icmps)
> sbc security guy (I have a lot of attack computers)
(we have a fair number in japan too)
- jared
--
Jared Mauch | pgp key available via finger from jared at puck.nether.net
clue++; | http://puck.nether.net/~jared/ My statements are only mine.
More information about the scg-sec
mailing list