| 00:00.12 | Hanuman | Our av program integrates w/ the mail server to stop viruses like this |
| 00:00.12 | sjansen | Bradipo: BYU has shut off it's smtp server for the interim. |
| 00:00.21 | Bradipo | sjansen: Inbound? |
| 00:00.26 | sjansen | Yep. |
| 00:00.38 | Bradipo | Ours is going, but it's pegged. |
| 00:00.49 | RyanE | comcast appeared to have shut theirs down for a while as well. |
| 00:00.49 | Hanuman | My home server uses f-prot to scan incoming e-mails, so I haven't gotten any |
| 00:01.04 | sjansen | I don't know about connections, but disk was filled. Didn't help that the virus managed to get the magical "spam all active students" address. |
| 00:01.05 | Hanuman | yeah - I haven't seen any |
| 00:02.26 | Hanuman | Bradipo: if you had OSS community on your side, we could all setup a community of dns servers worldwide that you could register to distribute traffic |
| 00:02.54 | Bradipo | sjansen: All it had to do was infect one person that had that address in their address book or otherwise in their system somewhere. |
| 00:03.03 | sjansen | Hanuman: No point picking at scabs. No one's gonna be happy until we've got Darl's head on a stick. |
| 00:03.06 | Bradipo | Well, DNS isn't a big issue. |
| 00:03.12 | Bradipo | It isn't going to hurt our DNS servers. |
| 00:03.12 | Hanuman | sjansen: lol |
| 00:03.30 | Hanuman | I know Bradipo can do nothing about it. I know he likes to laugh with us, though sometimes. |
| 00:04.07 | Bradipo | I try to steer clear of pronouncing any opinion on anything though. :-) |
| 00:04.23 | Hanuman | Bradipo: we all know what you really think though ;-) |
| 00:04.28 | Bradipo | If it's a joke, then sure I may laugh... |
| 00:04.57 | Bradipo | What I really think is that I am not going to worry about it until it gets to court. |
| 00:05.09 | Bradipo | Since I don't know one way or the other, I refuse to participate in speculation. |
| 00:05.17 | Hanuman | I agree |
| 00:05.22 | Hanuman | I like to joke about it though |
| 00:05.25 | Bradipo | Sure. |
| 00:06.08 | Bradipo | I think it's more fun to try to figure out the DNS signature than it is to worry about legal issues. :-) |
| 00:06.34 | sjansen | Well, I want Darl's head just for being a jerk if nothing else. |
| 00:06.44 | emcnabb | me me!! I want it!!! |
| 00:06.58 | Hanuman | Throw it over here when you get it! |
| 00:07.16 | sjansen | emcnabb: Better be careful or they might not let us into the court to watch him be humiliated. |
| 00:07.25 | Hanuman | Bradipo: you could always get volunteers to setup mirrors |
| 00:07.27 | emcnabb | true |
| 00:07.35 | emcnabb | Hanuman, haha |
| 00:08.03 | Hanuman | Ah comeon - Darl's gotta approve that - he's a geek isn't he? |
| 00:08.35 | Hanuman | I've got a freeservers account I can put one on. |
| 00:09.32 | Bradipo | Hanuman: I have come upon a snag in this DNS analysis. |
| 00:09.40 | Hanuman | what's that? |
| 00:09.53 | Hanuman | (speaking of which - I just got my first e-mail w/ the worm) |
| 00:09.57 | *** join/#utah philhans (~philip@byu172589wks.rn.byu.edu) |
| 00:09.59 | Bradipo | If the virus just uses your name resolver, then I doubt there will be much to discover. |
| 00:10.16 | Bradipo | Since it will be the name resolver connecting to our name server to do the lookup. |
| 00:10.28 | Bradipo | If it were the virus that did the actual lookup then there may be something to anaylize. |
| 00:10.33 | Bradipo | Analyze. |
| 00:10.57 | Bradipo | If only I had a Windows system here I could infect and roll the date forward. :-) |
| 00:12.38 | Hanuman | Bradipo: you could detect frequency of resolutions from the same IP's and detect it that way |
| 00:12.54 | sjansen | The point is, he'd have to take out legitimate resolvers. |
| 00:12.58 | Hanuman | ie if you get so many within a minute, mark that IP as infected, send traffic elsewhere |
| 00:13.51 | Hanuman | hmmm...that wouldn't work most likely |
| 00:14.24 | Hanuman | well, it does send originating IP along with the DNS query, doesn't it? |
| 00:14.52 | Hanuman | you're most likely not going to get AOL Ddos's because it ignores those |
| 00:15.11 | Bradipo | Hanuman: Yeah, that would work until I start blocking legitimate hosts. |
| 00:15.13 | Hanuman | so that IP subnet isn't a worry |
| 00:15.26 | *** part/#utah RyanE (~ryan@rberick.dsl.xmission.com) |
| 00:15.32 | Bradipo | Hanuman: No, the originating IP is not in the DNS packet that I'm aware. |
| 00:15.41 | Hanuman | Bradipo: you could re-allow it every few minutes and try again |
| 00:15.42 | sjansen | So SCO still gets legitimate traffic? |
| 00:15.47 | Hanuman | Better than not allowing anyone through |
| 00:16.01 | Bradipo | sjansen: Unless this IRC discussion is illegitimate yes. :-) |
| 00:16.27 | sjansen | That's what I thought. Nothing good coming into or out of SCO. |
| 00:16.49 | sjansen | Complete waste of time and everyone's money. |
| 00:17.14 | Bradipo | And this virus isn't? |
| 00:17.31 | Bradipo | This DoS affects more than just us at the moment. |
| 00:17.41 | Hanuman | I'm learning a bit on how to combat worms |
| 00:17.51 | Bradipo | IT personnel worldwide are going to be working for the next few weeks cleaning this up. |
| 00:17.54 | Hanuman | or going nowhere |
| 00:17.58 | sjansen | I hear beer works well... oh, wait, that's slugs. |
| 00:18.11 | Bradipo | And if it wasn't www.sco.com to attack it would have been whoever else was on their blacklist. |
| 00:18.28 | Hanuman | brb - gotta update f-prot |
| 00:20.41 | Hanuman | Bradipo: if you figure anything out let me know - I'd love to learn what you did |
| 00:22.16 | *** part/#utah tomeast (~teastmond@63-253-57-90.ip.mcleodusa.net) |
| 00:23.37 | Hanuman | You know there's something wrong when your 'opt-in' e-mail gets put in your spam folder when you test it. |