North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
Re: Code Red : Any whitehouse.gov people around?
Sabri Berisha wrote: > > On Fri, 20 Jul 2001, Jasper Wallace wrote: > > > According to a recent post on bugtraq the worm is going to switch from > > infecting webservers to DDOS'ing whitehouse.gov in about 1/2 an hour or so. > > Knowing that some of the colocated boxes in our network *might* be > infected; I have placed a nullroute for 22.214.171.124 (the IP > www.whitehouse.gov resolves to). Wrong IP to blackhole. Oops. I've copied the bugtraq post below for those of who are not subscribed, who might have missed it, or are overwhelmed. > > On Thu, 19 Jul 2001, Laurence Hand wrote: > > > > > I believe the DDoS started an hour and a half ago, at 5:00 PDT (0:00 UTC, > > the next day). I was getting 5-10 attempts an hour, and I've had 0 > > since 4:43:29 PDT. > > > > Folks will notice that www.whitehouse.gov is still accessible. The worm > > authors only put in one IP address, the one for www1.whitehouse.gov. BBN > > (who appears to be the provider for whitehouse.gov, according to my > > tracert) has blocked that single IP address at their peering points. So > > www2.whitehouse.gov is still running just fine. > > > > Presumably, www.whitehouse.gov used to be RR DNS between the two. Now, > > www.whitehouse.gov resolves to just 126.96.36.199, and it has a TTL of > > only 872. > > > > For a relatively clever worm, the author sure screwed up his target list. > > Whoops. Best to change that nullroute to www1.whitehouse.gov, and let up on www2. Name: www1.whitehouse.gov Address: 188.8.131.52 Name: www2.whitehouse.gov Address: 184.108.40.206 -- Powered by Guiness. Feds never "take a vacation" from being a fed. Aj Effin ReznoR