Re: rpc dcom worm and windowsupdate

On Wed, 2003-08-13 at 19:03, Oliver.Gruskovnjak@BIT.admin.ch wrote:
> Ok our company is owned by the msblaster worm, now we would like to keep the

If you use proxies for web access and mandate the use of proxies by all internal clients on the Internet firewall then the DDOS attack won't make it out. The worm wouldn't know about using a proxy, it'll try to go out directly.

If your proxying is done transparently (client's *think* they talk to the remote web server, but the firewall redirects their requests to a proxy) then the proxy server itself will be subjected to the SYN flood attack. It won't make outbound connections to windowsupdate.com until after it has read the client's request. This obviously implies a successful TCP handshake with the client, and SYN flood attacks are based around not completing this handshake.

Hence, unless you allow outbound HTTP connections from Internal systems other than proxies you needn't worry about DOSing MS. Your proxies don't run W2K or XP, now do they?

Cheers
Steffen.

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek