[scg-sec] Sco.com

Christopher L. Morrow chris at UU.NET
Fri Jan 30 00:51:55 EST 2004 

On Tue, 27 Jan 2004, Smith, Donald wrote:

> It looks like sco has begun preparing for a move of www.sco.com.
> Dig www.soc.com returns
> www.sco.com 1M IN A 216.250.128.12.
> I have not tested but a DNS "move" of www.sco.com to an unroutable
> address is probably the easiest solution. If that is sco's plan then
> perhaps we could get the unroutable address moniter traffic to that
> address and use it to create list of infected customers.

don't set it to 127.0.0.1 :) I get enough 127.0.0.1 source packets now
from that other virus taht si stull trying to attack MS :(

>
> I have a couple of questions:
> 1: Does the ddos do an nslookup to get the ip address. Everything I have
> read indicates the attack is against the name implying a name server
> lookup is required.
> 2: When does the ddos portion get the name to ip transaltion (at the
> beginning or continuously?)
>
>
> -----Original Message-----
> From: scg-sec-bounces at puck.nether.net
> [mailto:scg-sec-bounces at puck.nether.net] On Behalf Of Sean Donelan
> Sent: Tuesday, January 27, 2004 6:26 PM
> To: Jared Mauch
> Cc: scg-sec at puck.nether.net
> Subject: Re: [scg-sec] Sco.com
>
>
> What type of network impact are we actually expecting.  Www.sco.com may
> get knocked off the air, but the attack itself appears to be TCP SYN
> limited.  The attack computers appear to throw a bunch of SYNs and then
> stall waiting for a responses.
>
> I know the attack isn't going to start in ernest until Feb 1, but even
> with clock scew there isn't a whole lot of network traffic.  If SCO
> akamized their web site, I might be more concerned, because Akamai has
> enough bandwidth to DoS the attackers back just by responding to the
> requests.
>
> Other than blackholing www.sco.com traffic, either SCO abandons the
> domain or we sink the IP traffic, what can we really offer?  Get our
> customers to fix their computers before February 1?
>
> sean donelan
> sbc security guy (I have a lot of attack computers)
> _______________________________________________
> scg-sec mailing list
> scg-sec at puck.nether.net https://puck.nether.net/mailman/listinfo/scg-sec
>
> _______________________________________________
> scg-sec mailing list
> scg-sec at puck.nether.net
> https://puck.nether.net/mailman/listinfo/scg-sec
>

More information about the scg-sec mailing list