On Fri, 2003-08-15 at 21:56, Craig Whitmore wrote:
What are ISP's doing before midnight tonight? so their network is not affected. I guess getting 1000's of customers to remove the virus from their machines is impossible.
I've just cleared my mail from nznog so this info is a few hours late but is still relevant. The worm only checks the clock on start up so worms running before midnight last night will not start DOS until they are restarted. This means that instead of a flood of traffic at midnight we should see a steadily increasing trickle, which may turn into a flood. Anyone confirm this is actually happening. We managed to get most of the infected machines closed down or patched by Friday afternoon and I have been unable to see any evidence of the DOS on our network so far. That may change on Monday morning... BTW since this is a SYN flood attach and supposedly uses randomly forged source addresses the traffic can be filter where you know what source addresses should be. We are now doing this within our network to try and keep any DOS traffic off the backbone. -- Russell Fulton, Network Security Officer, The University of Auckland, New Zealand.