Swept under the "Second Wave"

I'm back in Phoenix now, and I'll be posting the rest of my blog entries from the week later this afternoon. At this point, I'm trying to get some stuff done that I missed yesterday, due to an internet attack that you may not have heard about yet.

Cox Communications shut down most if not all of their network last night for several hours. The reason was a worm called “Second Wave”. While Cox would provide few details, they did say that it was a variant of the MSBlaster worm, and that it was designed to release a DDoS attack on the entire internet. In response, they asked all customers to unplug their modems for 2 hours to eliminate the excess traffic that the attack caused. They have supposedly installed a filter, but the activity light on my cable modem is still wigging out.

Chances are, you are probably affected by this and don't know it yet. If you are using a broadband router, like my Linksys BEF1124S, make sure that the “Block WAN Request” option is on. It's an option that ignores any incoming requests, and has saved me from many a worm infestation. Also, make sure your automatic updates are on, and be sure to visit http://v4.windowsupdate.microsoft.com as soon as possible to make sure that you are up to date.

As soon as I can find out what port it runs on, I'll pass the information on so that you guys can block it.

3 Comments

  • "and that it was designed to release a DDoS attack on the entire internet"



    Did they really say that? Given that the central notion of a DDoS attack is many "slave" machines attacking a single (or small group of) target(s), the idea of "a DDoS attack on the entire internet" is a little hard to swallow, is it not? If that's what the folks at Cox are saying, that sure explains why we can't rely on ISPs to filter traffic to prevent worms.

  • Well, if you can make a slave machine hit one target, why can't you make it hit hundreds of IPs, or cycle through all the IPs and hit them with large amounts of traffic? Is it THAT farfetched?



    And Andrew, why would we want ISPs to filter prots BEFORE attacks? Why don't we just close off the whole internet while we're at it, since they can attack on any nuumber of ports?

  • Um...Robert I think you missed my point. I was neither advocating, nor complaining about whether or not Cox should filter ports, though if done properly it could be in their best interests to do so. My point was merely that if your statement of what Cox said about the DDoS attacks was accurate, that I wouldn't trust them to do port filtering properly.



    As for your question about slave machines, it's simply a matter of limited resources. The reason DDoS attacks are successful is because the worm author marshals the resources of a large number of machines to attack a small number of machines (with limited resources). It's the concentration of the attack that makes it work. You certainly *could* make a DDoS script cycle through "all the IPs", but how are you going to hit them with large amounts of traffic? It just doesn't make a lot of sense. Sure, you could probably raise the noise level on the Internet a bit, but I have a hard time believing that, absent the coordination of many clients targeting a limited number of machines, you could mount an effective DDoS attack.

Comments have been disabled for this content.