Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Incidents
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Localhost packets on WAN

from [Frank Knobbe] Network Security [Permanent Link]
Subject: Re: Localhost packets on WAN
Date: Thu, 30 Sep 2004 00:16:18 -0500 
On Wed, 2004-09-29 at 00:37, Kirby Angell wrote:

Once on the 26th and 8 times today we received packets from 127.0.0.1:80
to an ephemeral port on one of our WAN IPs.  [...]
The TTLs are all 121 which I make for a Windows box about 7 hops away.
The packets today all looked almost identical to the one at the end of
this message. The only differences are the ID field and the ephemeral
port the packet went to.  They all have the RST/ACK flags set.


That is the question that will never die. It was just asked beginning of
August again. You could search the archives, but for convenience I
attached the same reply I've been making every couple of months. Perhaps
it's time to wrap this into an auto-responder...

---8<---

   From: Dan Hanson <dhanson@securityfocus.com>
     To: incidents@securityfocus.com 
Subject: Administrivia: Are you seeing portscans from source 127.0.0.1 source 
port 80?
   Date: Tue, 28 Oct 2003 08:59:56 -0700 (MST)

I am posting this in the hopes of dulling the 5-6 messages I get every
day
that are reporting port scans to their network all of which have a
source
IP of 127.0.0.1 and source port 80.

It is likely Blaster (check your favourite AV site for a writeup, I
won't
summarize here).

The reason that people are seeing this has to do with some very bad
advice
that was given early in the blaster outbreak. The advice basically was
that to protect the Internet from the DoS attack that was to hit
windowsupdate.com, all DNS servers should return 127.0.0.1 for queries
to
windowsupdate.com. Essentially these suggestions were suggesting that
hosts should commit suicide to protect the Internet.

The problem is that the DoS routine spoofs the source address, so when
windowsupdate.com resolves to 127.0.0.1 the following happens.

Infected host picks address as source address and sends Syn packet to
127.0.0.1 port 80. (Sends it to itself) (This never makes it on the
wire,
you will not see this part)

TCP/IP stack receives packet, responds with reset (if there is nothing
listening on that port), sending the reset to the host with the spoofed
source address (this is what people are seeing and mistaking for
portscans)

Result: It looks like a host is port scanning ephemeral posts using
packets with source address:port of 127.0.0.1:80

Solution: track back the packets by MAC address to find the infected
machine. Turn of NS resolution of windowsupdate.com to 127.0.0.1.

Hope that helps

D

Attachment: signature.asc
Description: This is a digitally signed message part

[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Localhost packets on WAN, Kirby Angell
Next by Date:  RE: Localhost packets on WAN, David Gillett
Previous by Thread:  RE: Localhost packets on WAN, spainsecurity-s.navarro
Next by Thread:  Re: Localhost packets on WAN, Kirby Angell
Indexes:  [Date] [Thread] [Top] [All Lists]