North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
Re: Did Wanadoo, French ISP, block access to SCO?
So thats 1-0 to the worm! You could do some real cool things if you were controlling the DNS for a site under a major sustained DDoS, who doesnt the intended victim like.. just fire up an A record and they're gone! ;p Btw I'm seeing www.caldera.com disappear into Level3, seems theyre down. Steve On Sun, 1 Feb 2004, Rubens Kuhl Jr. wrote: > > Just drop the www.sco.com DNS record, as they did... this particular worm > goes after the URL, not the IP it usually had. > > >nslookup www.sco.com > > *** can't find www.sco.com: Non-existent domain > > >nslookup www.caldera.com > > Non-authoritative answer: > Name: www.caldera.com > Address: 184.108.40.206 > > > > Rubens > > > > ----- Original Message ----- > From: <[email protected]> > To: "Rubens Kuhl Jr." <[email protected]> > Cc: <[email protected]>; <[email protected]> > Sent: Sunday, February 01, 2004 9:09 PM > Subject: Re: Did Wanadoo, French ISP, block access to SCO? > > On Sun, 01 Feb 2004 20:00:40 -0200, "Rubens Kuhl Jr." <[email protected]> > said: > > > > And by blackholing that IP they've also blackholed www.caldera.com, which > is > > currently not a DDoS target but is also not respondig to requests. > > Umm,, I'll bite. If www.sco.com and www.caldera.com are on the same IP, > how do you create a DDoS that wouldn't take out the Caldera site as well? > > A sheer-traffic DDoS will hurt both. A synflood will hurt both. > > The webserver that's listening on port 80 doesn't know which site > is being connected to until it actually reads in the HTTP/1.1 headers and > looks at the Host: tag - and if there's enough things arriving with > 'Host: www.sco.com', it will require some *very* creative filtering/limiting > to keep one website working while the other is down.... > >