Slashdot Mirror
WindowsUpdate.com Secured, Permanently
Precisely nineteen months ago, Bill Gates sent out a
memo
to employees (and the press) announcing that security was Microsoft's
number-one priority.
Today, about a hundred readers have submitted the
news that Microsoft.com
went down last night.
And now, the company has
"extinguished" WindowsUpdate.com
(future updates will come from a
different domain).
All this because of some Microsoft worm that triggers at midnight. Related news:
Windows Update
says you're protected, but maybe you're not;
WU.com
briefly ran Linux, heh;
worm variant with clever "anatomical term."
Take NetCraft stats with a Big Grain of Salt (big grains of salt, heh). If a site is "Akamized", as this one was, or is otherwise distributed, you'll see the OS of the front end, not what the site actually runs. You'll note that NetCraft lists "linux" for the Akamai site.
I like music
OS: Linux
o m.edgesuite.net is an alias for a562.cd.akamai.net.
Server: Microsoft-IIS/6.0
Last changed: 15-Aug-2003
IP address: 213.161.82.33
Netblock Owner: Akamai
they did not switch their servers to linux, they used akamai's caching services to handle their massive bandwidth requirements. notice the server is still iis. this is an akamai box (linux) serving a cached copy of microsoft.com (windows/iis)
$ host www.microsoft.com
www.microsoft.com is an alias for www.microsoft.com.edgesuite.net.
www.microsoft.c
a562.cd.akamai.net has address 63.236.1.163
a562.cd.akamai.net has address 63.236.1.160
a562.cd.akamai.net has address 63.236.1.153
a562.cd.akamai.net has address 63.236.1.139
a562.cd.akamai.net has address 63.236.1.168
a562.cd.akamai.net has address 63.236.1.147
a562.cd.akamai.net has address 63.236.1.138
here it is:
/16
...
.. that should not be all that much of a problem.
Date: Fri, 15 Aug 2003 08:33:57 +0200
From: Carsten.Truckenbrodt@Bertelsmann.de
Subject: AW: [Full-Disclosure] MS should point windowsupdate.com to 127.0.0.1
To: full-disclosure@lists.netsys.com
Cc: security@microsoft.com
Hi,
This might be a bad idea. If you let windowsupdate.com resolve to 127.0.0.1
the following will happen: The worm uses spoofed IPs from the local
subnet as source address. Pointing all the syn packets to 127.0.0.1 will
generate a RST packet from the local host to the spoofed IPs and spread
traffic over the complete internal network.
Even blocking or routing the normally resolved IP to Null0 will be a lot
work because this domain is loadbalanced through the world. That means you
get a different resolution depending on your ISP or place in the world.
If you manipulate your DNS, you should give no A-Record back to the worm.
With this the worm will not start attacking anything. So setting up a
nameserver zone with only a SOA record will do the job for Saturday 0:00.
Best Regards,
Carsten Truckenbrodt
Arvato systems Taco Network SnotIing Security
-----Ursprungliche Nachricht-----
Von: Tobias Oetiker [mailto:oetiker@ee.ethz.ch]
Gesendet: Freitag, 15. August 2003 00:15
An: full-disclosure@lists.netsys.com
Cc: security@microsoft.com
Betreff: [Full-Disclosure] MS should point windowsupdate.com to 127.0.0.1
Folks,
How about MS standing up for the mess, and changing their own DNS to point
all request for windowsupdate.com and whatnot to 127.0.01 ?
This will null the effect of the syn flood very effectively. Only proxies
will be affected.
As far as I see it, they will not be able to use these names productively
for the foreseeable future anyways
So they will have to issue an update for windows-updater thourgh other
channels (like their homepage for example) to point it to a different
web-site
If MS does NOT make this change to their DNS, I can see many routers who are
trying to track connections toppling over in interesting ways.
Because the local techs have no clue, it will
take the affected companies ages to get back on the net.
tobi
I installed and ran the Microsoft BSA utility that scans your computer for updates (windowsupdate looks in registry only) per the link above. It found 4 problems that WindowsUpdate can't find, so I followed the links, to read about them.
Problem is, when you click on the link to DOWNLOAD the actual patch for XP, it just redirects you to www.microsoft.com, so even their security tool is useless if you cant get to the files to manually install them. Fucking rediculous.
Tequila: It's not just for breakfast anymore!
The SUS server is supposed to synchronize itself (manually or automatically) with Microsoft's servers to get the latest updates, and you get a chance to approve them for distribution to clients. Not a bad idea, and it seems to work OK.
However, the URL that's coded into SUS to synchronize with updates is -- wait for it -- a windowsupdate.com URL!
Error Message:l og1.cab'. (Error 0x80072EFD: Unable to connect to the server.)"
"Failed to download from URL 'http://www.msus.windowsupdate.com/msus/v1/aucata
Anyone using SUS to update their client machines is now stuck with their current update set until Microsoft sets up a new site to sync with and documents how to change the URL that SUS uses to whatever one they come up with.
Lame.
Windows update is already massively load balanced across multiple server farms. They use both a DNS based load balancer (F5 3DNS) and local area load balancers (F5 BIGIP). The server farms are in a number of locations. Early, and not so early in the implementation of this, a number of people were concerned that Microsoft was attacking them because the 3-DNS's would create probes from each datacenter to the end-users system. I'm not sure if that is still being used. I have no knowledge of how they Akamized so quickly since I haven't been involved with this project in years. However, it should be pointed out that the BIG-IP's make Akamizing content a very simple matter. I'm not shilling for F5- I no longer own any of the stock, haven't been an employee for years, and I'm now just a reasonably-satisfied customer.