Slashdot Mirror

← Back to Domains

Domain: sans.org

Stories and comments across the archive that link to sans.org.

Comments · 672

  1. Snort Exploit! by Anonymous Coward · · Score: 2, Informative · on The Story of Snort

    Links to information:
    First report: http://isc.sans.org/diary.php?storyid=770
    Infocon Yellow: http://isc.sans.org/diary.php?storyid=772
    Intrusion Detection: http://isc.sans.org/diary.php?storyid=782
    Tool: http://isc.sans.org/diary.php?storyid=791

    Hope everyone is safe..

  2. Re:Non event... for now by jistanidiot · · Score: 1, Informative · on Tier One ISPs Dying

    http://www.internettrafficreport.com/main.htm http://isc.sans.org/

  3. Re:gaim works for me, but loses ground from here by stoborrobots · · Score: 1 · on Linux Instant Messengers
    I'm no zealot, so if you've found a solution which works for you, then great. Otherwise, (or if you have need for it in the future), you may want to check out floppyfw, or one of the other floppy-based distros. They typically target 386-class machines, so will usually support ancient hardware.

    Other useful pages:

    Not all of us who choose to use and recommend such systems are jerks. I'm sorry you had to deal with them, but unfortunately I don't know anywhere online where you can get useful help from the more helpful of us, without getting drowned out by the blind zealotry.
  4. eDonkey overtakes BitTorrent ??? by Anonymous Coward · · Score: 0 · on P2P Now and Then

    It is interesting that this URL:
    http://www.cachelogic.com/research/2005_slide16.ph p
    shows eDonkey2000 taking over Bittorrent.

    But if I look at a 3rd party I see a different picture.
    BitTorrent
    http://isc.sans.org/port_details.php?port=6881&rep ax=1&tarax=2&srcax=2&percent=N&days=70&Redraw=
    eDonkey2000
    http://isc.sans.org/port_details.php?port=4661&rep ax=1&tarax=2&srcax=2&percent=N&days=70

    Of course I assume that default ports are used the overwhelming majority of the time. But at least I know the source is from firewall logs from all over the world, compiled from a group that has no profitable interest in any specific P2P implementation.

  5. eDonkey overtakes BitTorrent ??? by Anonymous Coward · · Score: 0 · on P2P Now and Then

    It is interesting that this URL:
    http://www.cachelogic.com/research/2005_slide16.ph p
    shows eDonkey2000 taking over Bittorrent.

    But if I look at a 3rd party I see a different picture.
    BitTorrent
    http://isc.sans.org/port_details.php?port=6881&rep ax=1&tarax=2&srcax=2&percent=N&days=70&Redraw=
    eDonkey2000
    http://isc.sans.org/port_details.php?port=4661&rep ax=1&tarax=2&srcax=2&percent=N&days=70

    Of course I assume that default ports are used the overwhelming majority of the time. But at least I know the source is from firewall logs from all over the world, compiled from a group that has no profitable interest in any specific P2P implementation.

  6. Internet Storm Center has a coverage suspicio list by jjMick · · Score: 1 · on Technology In Katrina's Wake

    SANS ISC has list about suspicious domain names with descriptions collected by their handler team and volunteer readers. There are about 250 domains including words hurricane, disaster, Katrina, victims, help, donate etc. at http://isc.sans.org/katrina.com.txt . Some of these sites was used to fake donations. Now ISPs have killed those raudulent websites, ISC reported recently at http://isc.sans.org/diary.php?date=2005-09-03 Diary.

  7. Internet Storm Center has a coverage suspicio list by jjMick · · Score: 1 · on Technology In Katrina's Wake

    SANS ISC has list about suspicious domain names with descriptions collected by their handler team and volunteer readers. There are about 250 domains including words hurricane, disaster, Katrina, victims, help, donate etc. at http://isc.sans.org/katrina.com.txt . Some of these sites was used to fake donations. Now ISPs have killed those raudulent websites, ISC reported recently at http://isc.sans.org/diary.php?date=2005-09-03 Diary.

  8. security is about planning for the worst by DarthAngst · · Score: 5, Informative · on Mazda Switches To USB Keys

    If you work in a facility that requires you to not bring media into work so that you can't remove secret information, you deserve to be fired for bringing in a flash drive. Trusted insiders are the greatest threat, hence the need for policies. Such policies are very enforceable, and hold up under the law for the dismissal of employees who violate them. A good policy sets up not only what's forbidden, but also what to do if a security breach happens. Check http://www.sans.org/. If an employee is determined enough, he or she might just find a less restrictive job.

  9. Re:Sandbox by Quirk · · Score: 3, Interesting · on The End of Signature-Based Antivirus Software?
    Build an AV system that creates a VM sandbox that would then allow the a program to run to see what it would do, and if determind to work normally, then to pass the IO requests directly to the system.

    I apologise in advance for not having a link or a referrence. I did a quick read on a paper from SANS, wherein they commented on an exploit referred to as "the red pill". IIRC the gist of the exploit is that it tests for the memory segment it is run in. A VM sandbox runs in a higher memory segment. If the exploit tests and finds itself being run in a higher memory segment it becomes dormant, if, OTOH, it tests and finds it's being run in a lower memory area it releases its payload.

    Sorry I can't link to the pdf. I have the file but haven't the time to search for it at the moment.

    cheers

  10. I think the chinese just need some good security. by Nexxus6 · · Score: 1 · on Chinese Websites Used As Launchpads For Cracking

    Just look how many Chinese sites are on the block list. http://isc.sans.org/top10.php

  11. I would read NIST's docs, SANS' ones, then others by papaia · · Score: 1 · on Building Secure Computers?

    Without full access to what DoD, itself, would require, I would start from here and then fill in the gaps from SANS' reading room, and move on to studying security mailing list archives, and/or by asking specific questions in those public forums.

  12. Re:Is your computer infected? by bryhhh · · Score: 2, Informative · on Zotob Worm Hits CNN and Goes Global

    My source suggests legacy domain controllers, Microsoft Exchange servers, Microsoft SQL Servers, etc.

    I've not verified this, but I don't have any reason to doubt it.

  13. Re:MS says.. by Revenge013 · · Score: 1 · on Zotob Worm Hits CNN and Goes Global

    Symantec lists XP as a vulnerable OS, though I'm not certain if that is just a blanket response from Symantec.

    However, TFA at CNN quotes the Sans Institute as having identified 'early versions of XP' as being susceptible to the threat, via the MS05-039 hole.

    Being that XP is the red-headed stepchild of 2000, I'd say it's susceptible to attack.

  14. It's only news because it hit CNN... by eericson · · Score: 1 · on Zotob Worm Hits CNN and Goes Global
    ISC is still showing green. To quote directly from the handler:

    "CNN is heavily covering an outbreak of a worm in its own network. They are reporting that ABCNews and NYTimes are hit as well. All statements so far make this look like a Zotob variant, even though this variant appears to reboot the system. (Zotob.d ?).

    Likely this is an isolated event, which became newsworthy because CNN got infected. We do not see any new threats at this point. Zotob keeps mutating and finding new victims. As seen with prior TCP worms, it is reaching its peak around 3 days after the outbreak.

    Speculating: The fact that CNN, ABC and the NYTimes got it may be as simple as reporters from these organizations visiting the same event and connecting to an infected network. While a firewall may have protected their office network up to now, these infected laptops where able to take out the network from the inside once they connected back to it."



    Feel free to insert the usual comments about media types overreacting and not understanding anything technical, along with misc sagely advice about defense in depth and perimiter security.
  15. A sober second opinion... by Saint+Aardvark · · Score: 4, Informative · on Zotob Worm Hits CNN and Goes Global
    ... from the ever-excellent Inhttp://isc.sans.orgternetstorm/ Center:
    Likely this is an isolated event, which became newsworthy because CNN got infected. We do not see any new threats at this point. Zotob keeps mutating and finding new victims. As seen with prior TCP worms, it is reaching its peak around 3 days after the outbreak.

    As reported by Slashdot t'other day, they raised their threat level from Green to Yellow. They explain why they moved back to Green:

    We moved to 'Yellow' on Friday, after we did see a number of exploits released for last weeks Microsoft Windows vulnerabilities, in particular MS05-039 (PnP) which is exploitable remotely.

    As expected, we did see various bots, in particular 'Zotob' take advantage of this vulnerability. At this point, the situation is however static. New bot variations keep getting developed, but they do not add any fundamental new variation of the exploit. We expect that most exploitable systems have been compromised at this point.

    [....] Yes, the Internet is still "broken", but it was never working all that well to begin with. The Infocon is intended to measure change. We can't stay on yellow for ever.

  16. SANS/ISC's take on the CNN infection by Kelson · · Score: 5, Informative · on Zotob Worm Hits CNN and Goes Global

    The Internet Storm Center's take on this is also interesting. As far as they can tell, the infection at the three news outlets is more-or-less isolated:

    Speculating: The fact that CNN, ABC and the NYTimes got it may be as simple as reporters from these organizations visiting the same event and connecting to an infected network. While a firewall may have protected their office network up to now, these infected laptops where able to take out the network from the inside once they connected back to it.
  17. Re:Sends chills by frozen_crow · · Score: 1 · on MS05-039 Worm in the Wild

    they said they went to yellow because there were a number of windows worms reported, plus the backup exec exploit.

    http://isc.sans.org/diary.php?date=2005-08-12

  18. Re:There is at least one worm active out there. by Alejo · · Score: 1 · on Internet Security Warnings
    More info from my friend Emi:

    More info about the worm: Looks like its Zotob.A., and weblog. Here are some comments.

  19. MS05-039 worm in the wild right now - apparently. by caluml · · Score: 1 · on Internet Security Warnings

    Apparently there is a MS05-039 worm in the wild and running now.

    *nix users - prepare for the net to slow down.

  20. Re:Windows Threat Assessment by Diag · · Score: 1 · on Internet Security Warnings

    It would be cool to have a little app that reports the current Windows threat level.

    The ISC "threat level" is available in a text feed, so this wouldn't be hard to do.

  21. Re:Infocon goes to yellow... by rathehun · · Score: 1 · on Internet Security Warnings
    Actually they don't.
    In addition to the graphic, we offer two text feeds: * http://isc.sans.org/infocon.txt: The infocon color. Just one word in plain text * http://isc.sans.org/daily_alert.php: The daily alert. Infocon and handlers diary headline as minmal HTML feed for inclusion in web sites
    R.
  22. Re:Infocon goes to yellow... by rathehun · · Score: 1 · on Internet Security Warnings
    Actually they don't.
    In addition to the graphic, we offer two text feeds: * http://isc.sans.org/infocon.txt: The infocon color. Just one word in plain text * http://isc.sans.org/daily_alert.php: The daily alert. Infocon and handlers diary headline as minmal HTML feed for inclusion in web sites
    R.
  23. Yellow is pretty rare.. by Dynamoo · · Score: 4, Insightful · on Internet Security Warnings
    A Yellow alert at the ISC is pretty rare, and it has been several months at least since the last one. Generally even a worm outbreak such as Blaster only elevates the threat level to Yellow. Orange is even rarer.. I think that maybe has happened just a couple of times with Code Red and Slammer. There has never been a Red alert level.

    In other words.. the alert level tends to stay stubbornly at green unless there is a real issue - the ISC is usually extremely conservative about threat assessments. If they've raised the alert level as a precaution then it's definitely time to take notice.

    As for me.. I check the ISC at least once every day to see what emergent threat are out there. There are also a number of tools you can use such as a small Windows app that can help to inform you when the threat level changes.

    It's worth having these tools - when Sasser came out I'm pretty sure they saved my backside.. because in that case the short amount of time between the vulnerability being announced and the worm coming out was so short that many organisations hadn't even started patching. Thanks to the ISC we managed to get almost everything secured in a day, so when the inevitable rogue laptop user physically brought a worm infected machine into the office, then we managed to contain the outbreak effectively.

  24. Sorting Wheat from Chaff by SkiifGeek · · Score: 2, Interesting · on Honeymonkeys Discover Undisclosed Vulnerability

    I do not deny that the Honeymonkey project is useful, and will be in the future (although the figures listed for number of sites with malware seems low).

    Because there was a lot of contrary reporting and postings which appeared around the start of July, it is difficult to sort the wheat from the chaff in order to obtain accurate information, but I do remember reading that proof of concept code definitely existed, and was published, at the start of July, with one example being reported on the ISC Diary. I also recall a post on a mailing list that suggested that exploits were already circulating, but I can not track down a citation for that. I really would not call it a 0-day (which is probably semantics), but at least their project picked it up within two weeks of the POC being published.

    To Microsoft's credit, they do publicly acknowledge SEC-Consult as being responsible for discovery of the initial flaws, on the patch information page.

    Sticking with M05-38, the image handling errors which were fixed are another example where Microsoft ignored public disclosure, especially when the disclosure sparked a level of interest on the Full-Disclosure mailing list.

    With respect to pen-testing, my approach has always been to obtain a copy of the target software, and to test locally, before heading out for the client systems. Although not automated like the Honeymonkeys, it achieves a similar purpose. I also think that the monkey component of the honeymonkey might refer to the crazed monkey(?) testing tool in the original Macs, which performed random input (mouse movement, clicks, keys (I think)) as part of testing for unexpected application behaviour.

  25. DSheild Discussion by tjohns · · Score: 3, Informative · on Worms Could Dodge Net traps
    A similar article by zdnet.co.uk was brought up a few days ago on the DShield discussion list. One choice quote is from Johannes Ullrich, a member of the SANS Internet Storm Center and the developer of DShield:

    We do receive reports from about 500-700k IP addresses each day.
    Including the full list would be hard (or make for a very large worm).
    In addition, many of these IPs are dynamic, so you have to exclude
    networks rather then individual IPs.

    To put it down bluntly: If every IP is a sensor, there is nobody left to
    attack ;-)


    For those of you who don't know, DShield is precisely one of the 'early-warning sensor' networks the article is talking about.
  26. Re:What is this stuff *for* anyway? by shokk · · Score: 1 · on Atom 1.0 vs RSS 2.0

    Let me add to that. I keep track at the following sites:

    http://rssnewsapps.ziffdavis.com/tech.xml

    http://www.microsoft.com/technet/security/bulletin /secrss.aspx

    http://www.mozilla.org/news.rdf

    http://feeds.dshield.org/news.xml

    http://www.sans.org/newsletters/newsbites/rss/

    http://www.sophos.com/virusinfo/infofeed/tenalerts .xml

    You can get the OPML of my feed list at http://www.shokk.com/opml.opml

  27. Nagios, Mon. et al. by lheal · · Score: 1 · on Network Intrusion Detection and Prevention?

    You need to develop a strategy that includes network monitoring, penetration testing, and watching the security lists or sites.

    For a network monitor, Nagios (http://www.nagios.org/ is popular, but I like Mon (http://www.kernel.org/pub/software/admin/mon), because of its simplicity.

    Once you start watching, you realize that you get attacked so much that you quickly scale back the sensitivity. In the end, the monitor becomes a forensics tool, or a way of verifying that it's not an attack that's causing whatever problem you're having.

    Acquire skill with Nmap (http://insecure.org./ Learn how to know what the bad guys know about you. Google yourself and your network, to see what dangerous information is out there about you and your network. Try to render that information obsolete.

    Read up at http://sans.org/ or maybe a CERT advisory list.

    You can spend minimal time on any of this or all of your waking hours.

    But it's great getting paged that a server is offline before anyone else (like the client) knows about it.

  28. Re:Modularised code will always have this problem. by Anonymous Coward · · Score: 0 · on Zlib Security Flaw Could Cause Widespread Trouble

    DJB's technique is to produce (imho) underfunctional software and deny security issues when they arise. (Witness the recent overrun in qmail's pop3 daemon, because the thing uses certain high bits for rather strange purposes.)

    ISC mentioning it:
    http://isc.sans.org/diary.php?date=2005-05-31

    Wikipedia mentioning it:
    http://en.wikipedia.org/wiki/Daniel_Bernstein

    And his reply

    http://cr.yp.to/qmail/guarantee.html " Nobody gives gigabytes of memory to each qmail-smtpd process, so there is no problem with qmail's assumption that allocated array lengths fit comfortably into 32 bits"

    I don't know about you, but that a program's author would make that kind of assumption makes me somewhat uncomfortable.

    Anyway, the REAL flaw in this logic is that it's a probability thing - a competent programmer can produce an error free line of code (say) 95% of the time. But when you have ten lines, it's a matter of all ten being error free - (0.95) ^ (10) - which is only 60%. Heck, at 99% chance of being good each line, it's a 90% chance those ten lines are good.

    Now what if there's 10,000 lines of code?

    Bugs happen.

  29. Try looking at Benchmarks by Jim+Robinson+Jr. · · Score: 5, Informative · on Best Linux Security Books?

    While books are good, you will have to wade through a lot of verbiage to find the gems. Although they won't provide the historical and technical backgrounds, you should seriously consider beginning with industry benchmarks rather than trying to make up your own.

    Try these for starters:

    Center for Internet Security
    http://www.cisecurity.org/

    SANS Step-By-Step Guides
    https://store.sans.org/store_category.php?category =stepxstep&portal=d3e56294b582309b0d88a6990e8621ce

    Both will provide you with a checklist to secure your systems, and although neither will be "all inclusive" they will give you a foundation to build your security program on.

    In large enterprises subject to regulatory oversight and external auditing they use these as a starting point.

    Hope this helps,

    Jim Robinson Jr., CISSP

  30. Re:Just buy a Mac :-) by Anonymous Coward · · Score: 0 · on Non-Technical Users Talk Malware


    But there ARE exploits and issues even in Apache.

    Just add a few modules and look how insecure your server becomes.

    I do seem to remember a cute worm that traveled via PHPBB: http://isc.sans.org/diary.php?date=2004-12-21

    While I agree that Mac is not going to become the "Typhoid Mary" that Windows currently is but I do think it is rather foolish for Mac users to take the "We are so damn secure" attitude as things might suddenly change with one unnoticed mistake.

  31. Re:It's not just the non-technical users by AnObfuscator · · Score: 4, Informative · on Non-Technical Users Talk Malware
    Okay, sorry if I am sounding like a jerk. I really just want to know how this can happen!

    You somehow assume that you actually have to "click" a link and "save to disk" to download a file through IE. This is not so. Sites can use IE to install software on your computer, without your knowledge, even with all the preventative measures you mentioned. This is possible with what are known as "exploits" in the system. The insecurity of IE is not so much the default settings, as it is that changing the settings means practically nothing. That is why IE is flawed and broken beyond belief with critical security vunerabilities.

    If you want to see how easily a PC is infected without you clicking, saving, or knowing ANYTHING, this series of articles will help: http://isc.sans.org/diary.php?date=2004-07-23

  32. Internet Storm Center is tracking "survival time" by UnderAttack · · Score: 5, Informative · on Windows Infected in 12 Minutes

    The Internet Storm Center is tracking a similar number for while. See the "survival time". It has actually improved over the last few months!

  33. Internet Storm Center is tracking "survival time" by UnderAttack · · Score: 5, Informative · on Windows Infected in 12 Minutes

    The Internet Storm Center is tracking a similar number for while. See the "survival time". It has actually improved over the last few months!

  34. Re:SANS by idontgno · · Score: 1 · on The 12-minute Windows Heist
    And it's interesting to note that currently, the "average time between attacks" is 32 minutes. According to the graph, average survival time hasn't ever been as low as 12 minutes.

    I can't RTFA (stupid Websense), but the original Sophos press release doesn't shed much light on their methodology. I don't have any clue on how they arrived at their 12-minute "half-life", but I think I trust SANS ISC much more. At least, I'm fairly sure they don't have a commercial interest in raising anxiety about instantaneous system infection.

  35. SANS by kc0re · · Score: 1 · on The 12-minute Windows Heist

    Apparently now one knows of the Survival Time http://isc.sans.org/survivalhistory.php
    This is a graph auto-generated from live network traffic estimating the time from plugin to compromise for a Windows machine.

  36. There are other sites available. by hal9000(jr) · · Score: 4, Informative · on AT&T Plans CNN-style Security Channel

    Andrew Jaquith, senior analyst with The Yankee Group in Boston. "There is really no good, consistent source for security information on the Internet," he said.

    There are already a handful of really good sites out there. How will ATT compete with the likes of: The Internet Storm Center, Security Focus, Packet Storm, and Security Peline which are current and relevant.

    Also in the TFA, there were statements that the news serviecs will be offered to ATT customers. Will non-customers also have access to the site for free? If not, how does this compare to other managed services offerings from the likes of Symantec, ISS, and others?

  37. Re:Missing something fundamental by GT_Alias · · Score: 1 · on The Art of Computer Virus Research and Defense

    Cases where it's actually happened:

    Slapper
    Lion
    Scalper

    Those are just from a quick Google. Then there's the list of Linux and Mac OS X vulnerabilities (take a look around www.cert.org). How could you possibly claim that Linux and Mac OS X "don't get viruses" when any one of those vulnerabilities might be actively exploited. Just because a worm or virus doesn't make the news doesn't mean it's not out there.

    I'll be here waiting

    Hope I didn't keep you too long. I'm not sure why you're fighting this fight, particularly if you position yourself as someone knowledgeable on IT.

  38. SANS Community by kc0re · · Score: 4, Informative · on UK Critical Structures Targeted by Trojan Attacks

    The SANS community broke this news yesterday on the DShield listserv... Check out Incidents.org for the current news concerning it. As well as the ongoing investigation.

  39. Re:Patches don't solve the problem on new installs by Dynamoo · · Score: 3, Informative · on MS Patch Train Leaves the Station
    Yup: Windows XP: Surviving the First Day from the SANS institute covers this problem.

    The key thing, as others have said, is to enable the software firewall and make sure that file and print sharing is disabled. A second CD with SP2 and a decent firewall like ZoneAlarm is usually enough too.

  40. Re:Reminds me of the JPG buffer overflow by CABAN · · Score: 1 · on MS Patch Train Leaves the Station

    SANS.ORG [http://isc.sans.org/diary.php?date=2005-06-14] is reporting that these patches might restore program access defaults.

  41. Re:Tickets? by Intron · · Score: 3, Insightful · on CA Warns Of Massive Botnet Attack

    Here's a good spot.

  42. Simple Formula for Strong Passwords (SFSP) Tutoria by packetdump · · Score: 1 · on Write Down Your Passwords
    There was an interesting paper I came across recently at the SANS readinng room. Although the techniques it talks about are not revolutionary, it does present them in an easy to read manner, which may be used as a basis to train end-users.

    http://www.sans.org/rr/whitepapers/authentication/ 1636.php

    I dont like the suggested way to deal with required password changes (add a number to the end) because it goes against best practice. I did however question why adding numbers to the end of passwords during a force change is not recommended and all I came up with is:-
    - if you know users have strong passwords, the reason why you still force them to change passwords reguarly is to mitigate the risk that someone else other then the user has gained access to that password. So by simply adding numbers to the end of passwords voids the mitigation of the required password change.

  43. not much discussion. . . by aoteoroa · · Score: 2, Informative · on New Web Application Security Mailing List

    but it still looks like a good source of information.

    I also use http://www.sans.org/newsletters/ to keep up to date.

    What other resources do people here use to make sure that your server applications are up to date?

  44. Speaking of spreading worms... by Anonymous Coward · · Score: 2, Interesting · on What Does a Spreading Worm Look Like?
    How timely this article!

    Today an internal customer asked me why Slashdot seemed to be broken. I check the firewall logs and, lo and behold, discover 66.35.250.150 triggered the firewall's IDS for tweaking port 2000/TCP.

    Why was /. poking at that port on my firewall, particularly considering what's usually there?

  45. Remote code execution against firefox 1.0.3 by kyhwana · · Score: 1 · on Firefox 1.1 Boasts New Features

    See http://isc.sans.org/diary.php?date=2005-05-07 for info on the javascript bug in 1.0.3 that allows remote code execution.

    Doh.

  46. Re:fighting back with infrastructure by Quixote · · Score: 1 · on Taking on an Online Extortionist
    customer-level ingres filtering -- e.g. if the "other end" of the cable modem gets a packet whose src address is not that of the cable modem, drop it on the floor, it's forged.

    It is called "egress filtering" (more info (PDF)). It is asinine that all USPs aren't doing this. Spoofed addresses is one major reason why DDoS attacks are so hard to counter.

  47. Re:Just an annoyance by Anonymous Coward · · Score: 0 · on Finnish Firm Claims Fake P2P Hash Technology

    The ultimate goal is similar to SPAM flooding. The point is: I still use email despite it.

    Much like I can easily distinguish SPAM by just looking at the from or subject header for email, methods will be generated to help spot such tampering in P2P.

    NOTE: I use email, but don't trust P2P. (read www.sans.org/top20/ for my trust issues)

  48. Re:Drastic Measures by XSforMe · · Score: 2, Informative · on Major Aussie ISP Disconnecting Trojaned PCs

    Although I don't understand the purpose of a trojaned machine repeatedly hitting a DNS server, is this an attempt to cause an overflow and therefore making the DNS server itself vulnerable?
    In adition to the already commented use of sending spam, zombied machiens can be used to poison DNS servers. The poisoning basically involves sending lots of forged packets to the DNS server in what is known as a birthday attack. There has recently been a rash of these kind of attacks as documented by SANS.

  49. Re:Should be the standard by pyrrhonist · · Score: 1 · on Major Aussie ISP Disconnecting Trojaned PCs
    A virgin Windows box has a ten-minute window from the time it connects to the internet to the time it gets a malware/spyware/trojan/some bad thing.

    Good news! Today it's up to a whopping 25 minutes!

  50. Re:From the Internet storm-in-a-teacup dept... by McSpew · · Score: 1 · on DNS Cache Poisoning Update

    So, zero action is required by Windows DNS admins, unless for some reason they are running Win2k pre-SP3, or NT4. Even with these older versions of the OS, a single setting change secures the box from DNS poisoning.

    Except, as has been pointed out in TFA, when you forward to another DNS server. In that case, Windows ignores your security settings and believes everything it hears from the server it's forwarding to. BIND 4 and 8 pass poisoned entries to servers that forward to them. Since Windows ignores its own security settings in that scenario, it happily accepts the poison. No amount of clue can prevent this problem if your Windows DNS forwards to another server that gets poisoned or doesn't bother to scrub poison before passing it on.