Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-IDS
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: IP 127.0.0.1

from [David Gillett] Network Security [Permanent Link]
Subject: RE: IP 127.0.0.1
Date: Tue, 29 Mar 2005 11:03:21 -0800 
  You should be able to find reams of discussions about this traffic
on Google over the past 20 months....

  The MSBLAST worm (Summer 2003) included code to perform a SYN-flood
DOS attack against windowsupdate.com, which at that time was an alias
to the servers used by Microsoft's "Windows Update" service.  As I
recall, this behaviour was only active during the last week of each 
month.  The DoS code would pseudo-randomly spoof the source addresses
of the SYN packets.
  One of the early recommended countermeasures was to hard-code local
DNS servers to resolve the alias used by the virus to 127.0.0.1, the
canonical loopback address.  The hope (incorrect, unfortunately) was
that infected hosts would simply DoS themselves.

  Unfortunately, a SYN-flood attack only works against a host that wants
to accept the inbound connections.  Most machines infected with MSBLAST
are not web servers, and so a SYN packet to port 80 doesn't tie up a 
connection "slot" -- it generates an RST packet back to the source address
of the SYN.  So near the end of every month, a few infected machines get
back 127.0.0.1 when they resolve this old alias, and generate a few hundred
random "source" addresses, and send them RST packets sourced from
127.0.0.1:80.

  [Most good perimeter security configurations begin with blocking of
bogus source addresses, including 127.0.0.0/8, the RFC 1918 private blocks,
and the multicast/reserved ranges above 224.0.0.0.  So unless the infected
machine is somewhere inside your network perimeter, these packets shouldn't 
reach the inside of your network.
  Contrary to popular myth, routers do not by default do any validation of
source addresses, and so packets like this can travel for quite some way
before hitting a source filter that blocks them.  Ideally, an egress filter
on the originating network would stop the outbound packet with an invalid
source address, but hey -- these guys have a virus that's almost two years 
old on their network, so what are the odds they've got egress filtering in
place?]

David Gillett

  


-----Original Message-----
From: Javier Otero De Alba [mailto:jotero@smartekh.com]
Sent: Monday, March 28, 2005 3:41 PM
To: security-basics@securityfocus.com; focus-ids@securityfocus.com
Subject: IP 127.0.0.1


I have next problem:

We have found pakages in our net with source address 
127.0.0.1 in any part of our wan.
We are interested in find the possible cause.
Tha antivirus does not detect any thing, IPS log shows next 
(in excel format):

Name  Value

Name: Src127
Direction:    Inbound
Destination Port:     1919
Domain:       /My Company
Result Status:        Suspicious
Attack Name:  IP: Packet has Invalid Address 
Source/Destination Address
Benign Trigger Probability:   Low
comments      
Exploit ID:   1
State:        Unacknowledged
Subcategory:  protocol-violation
Source IP:    127.0.0.1
Detection Mechanism:  protocol-anomaly
Sensor ID:    netsensor1
Alert ID      4.76E+18
Application Protocol: - - - -
Source Port:  80
Destination IP:       10.1.10.3
Category:     Exploit
Severity:     Imformational
Network Protocol:     tcp
Time: 2005-02-23 18:03:53.000 CST
Interface:    Red_10.1.10.0

Name  Value

Name: Signature-1109274364921
Direction:    Inbound
Destination Port:     1975
Domain:       /My Company
Result Status:        Blocked
Attack Name:  UDS-127.0.0.1
Benign Trigger Probability:   High
comments      
Exploit ID:   1
State:        Unacknowledged
Subcategory:  - - - -
Source IP:    127.0.0.1
Detection Mechanism:  - - - -
Sensor ID:    netsensor1
Alert ID      4.75875E+18
Application Protocol: - - - -
Source Port:  80
Destination IP:       10.1.3.210
Category:     - - - -
Severity:     High
Network Protocol:     tcp
Time: 2005-02-24 20:29:25.000 CST
Interface:    3A-3B

Name  Value

Name: Src127
Direction:    Inbound
Destination Port:     1111
Domain:       /My Company
Result Status:        Suspicious
Attack Name:  IP: Packet has Invalid Address 
Source/Destination Address
Benign Trigger Probability:   Low
comments      
Exploit ID:   1
State:        Unacknowledged
Subcategory:  protocol-violation
Source IP:    127.0.0.1
Detection Mechanism:  protocol-anomaly
Sensor ID:    netsensor1
Alert ID      4.75875E+18
Application Protocol: - - - -
Source Port:  80
Destination IP:       10.1.5.44
Category:     Exploit
Severity:     Imformational
Network Protocol:     tcp
Time: 2005-02-23 18:03:41.000 CST
Interface:    Red_10.1.5.0

Thanks in advance.


Ing. Fco. Javier Otero De Alba
Diplomado en Seguridad Informatica ITESM CEM 
JNSA-S, JNSS-S
ITStrap
Product Manager 
Juniper Secure Access SSL
5243-4782 al 84 Ext.300
Mixico, D.F.
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • IP 127.0.0.1, Javier Otero De Alba
    • RE: IP 127.0.0.1, David Gillett <=
Previous by Date:  ASIC Based IPS, Siddharth Phadnis
Next by Date:  RE: IDS/IPS Management devices, Biswas, Proneet
Previous by Thread:  IP 127.0.0.1, Javier Otero De Alba
Next by Thread:  ASIC Based IPS, Siddharth Phadnis
Indexes:  [Date] [Thread] [Top] [All Lists]