Security Basics mailing list archives
RE: loopback address entries on router logs...
From: "David Gillett" <gillettdavid () fhda edu>
Date: Mon, 21 Jun 2004 17:59:33 -0700
Last year, a virus/worm called MSBLAST spread widely, and threatened to launch a denial-of-service attack against windowsupdate.com . In the early days of trying to contain the spread of this virus, a common suggestion was to add entries to local DNS servers and/or hosts files to resolve the name "windowsupdate.com" to the loopback address. The theory was that when infected machines tried to launch the denial-of-service attack, they'd just DoS themselves. That would have worked, except that the virus spoofed random source addresses for the attack. So when an infected machine launches the DoS, it hits 127.0.0.1 (itself), port 80, with spoofed packets from a bunch of random source addresses. Generally, infected machines don't have a web server running, so they wind up generating a bunch of "go away" or "unreachable" messages, FROM 127.0.0.1/80, TO <randomly spoofed addresses that appeared to be sources>. This question has come up 1-2 times a month ever since.... David Gillett
-----Original Message----- From: Murad Talukdar [mailto:talukdar_m () subway com] Sent: Sunday, June 20, 2004 6:54 PM To: security-basics () lists securityfocus com Subject: loopback address entries on router logs... Hi, I've suddenly started to get entries in my firewall logs for a loopback address. Destination is various ports. Anyone got any ideas as to what this is? Or how to find out where it's coming from? It's happening a few times a day now. Thanks: Sun, 06/20/2004 15:00:16 - TCP connection dropped - Source:127.0.0.1, 80, WAN - Destination:210.x.x.x, 1794, LAN - 'Suspicious TCP Data' Sun, 06/20/2004 16:17:54 - TCP connection dropped - Source:127.0.0.1, 80, WAN - Destination:210.x.x.x, 1322, LAN - 'Suspicious TCP Data' Sun, 06/20/2004 18:16:38 - TCP connection dropped - Source:127.0.0.1, 80, WAN - Destination:210.x.x.x, 1536, LAN - 'Suspicious TCP Data' Murad Talukdar Murad Talukdar -------------------------------------------------------------- ------------- Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html -------------------------------------------------------------- --------------
--------------------------------------------------------------------------- Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html ----------------------------------------------------------------------------
Current thread:
- loopback address entries on router logs... Murad Talukdar (Jun 21)
- RE: loopback address entries on router logs... David Gillett (Jun 22)