Network Security: Detailed info on Re: [Full-Disclosure] Odd packet?

Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.

Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.

Network Security FullDisclosure

[Top] [All Lists]

Re: [Full-Disclosure] Odd packet?

from [Skip Duckwall] Network Security

[Permanent Link]

Subject:	Re: [Full-Disclosure] Odd packet?
Date:	Wed, 26 May 2004 14:33:27 -0500 (CDT)

This traffic is the result of machines on the internet being infected with
Blaster.E.  This worm attempts to DOS the website of kimble.org, which
currently resolves to 127.0.0.1, whereas none of the other variants have
any targets.

What happens(similar writeups can be found from google):

The worm attempts to DOS kimble.org with a spoofed source address from a
high port.

So, the machine attempts to connect to kimble.org (127.0.0.1) on port 80.

This will usually fail (unless you happen to be running a local webserver)
causing a packet with a RST+ACK (the TCP way of the port not being there)
from localhost (127.0.0.1) on port 80 to whatever the spoofed IP address
and high port were.

So, you will get (unless egress filtering is in place) a packet from
127.0.0.1 with RST+ACK destined for a machine on your network.


Hope this clears things up for people...

Alva Lease 'Skip' Duckwall IV
CISSP, RHCE, SCSA
skip@duckwall.net

[More with this subject...]

<Prev in Thread]	Current Thread	[Next in Thread>
Re: [Full-Disclosure] Odd packet?, (continued) Message not available Re: [Full-Disclosure] Odd packet?, Valentino Squilloni - Ouz Re: [Full-Disclosure] Odd packet?, Steffen Schumacher Re: [Full-Disclosure] Odd packet?, Mike Klinke Message not available Re: [Full-Disclosure] Odd packet?, Valentino Squilloni - Ouz Message not available Re: [Full-Disclosure] Odd packet?, Valentino Squilloni - Ouz Re: [Full-Disclosure] Odd packet?, Maarten Message not available Re: [Full-Disclosure] Odd packet?, Valentino Squilloni - Ouz RE: [Full-Disclosure] Odd packet?, full-disclosure Re: [Full-Disclosure] Odd packet?, Gregh Re: [Full-Disclosure] Odd packet?, full-disclosure Re: [Full-Disclosure] Odd packet?, Skip Duckwall <= RE: [Full-Disclosure] Odd packet?, full-disclosure RE: [Full-Disclosure] Odd packet?, full-disclosure

Previous by Date:	Re: [Full-Disclosure] Re: Cisco's stolen code, Mister Coffee
Next by Date:	[Full-Disclosure] The author of the Randex Worm family Busted !!, ElviS .de
Previous by Thread:	Re: [Full-Disclosure] Odd packet?, full-disclosure
Next by Thread:	RE: [Full-Disclosure] Odd packet?, full-disclosure
Indexes:	[Date] [Thread] [Top] [All Lists]