[scg-sec] Sco.com

[Smith, Donald]

It looks like sco has begun preparing for a move of www.sco.com.
Dig www.soc.com returns
www.sco.com 1M IN A 216.250.128.12.
I have not tested but a DNS "move" of www.sco.com to an unroutable
address is probably the easiest solution. If that is sco's plan then
perhaps we could get the unroutable address moniter traffic to that
address and use it to create list of infected customers.

I have a couple of questions:
1: Does the ddos do an nslookup to get the ip address. Everything I have
read indicates the attack is against the name implying a name server
lookup is required.
2: When does the ddos portion get the name to ip transaltion (at the
beginning or continuously?)
 

-----Original Message-----
From: scg-sec-bounces at puck.nether.net
[mailto:scg-sec-bounces at puck.nether.net] On Behalf Of Sean Donelan
Sent: Tuesday, January 27, 2004 6:26 PM
To: Jared Mauch
Cc: scg-sec at puck.nether.net
Subject: Re: [scg-sec] Sco.com


What type of network impact are we actually expecting.  Www.sco.com may
get knocked off the air, but the attack itself appears to be TCP SYN
limited.  The attack computers appear to throw a bunch of SYNs and then
stall waiting for a responses.

I know the attack isn't going to start in ernest until Feb 1, but even
with clock scew there isn't a whole lot of network traffic.  If SCO
akamized their web site, I might be more concerned, because Akamai has
enough bandwidth to DoS the attackers back just by responding to the
requests.

Other than blackholing www.sco.com traffic, either SCO abandons the
domain or we sink the IP traffic, what can we really offer?  Get our
customers to fix their computers before February 1?

sean donelan
sbc security guy (I have a lot of attack computers)
_______________________________________________
scg-sec mailing list
scg-sec at puck.nether.net https://puck.nether.net/mailman/listinfo/scg-sec