Security Basics mailing list archives
RE: IP 127.0.0.1
From: "David Gillett" <gillettdavid () fhda edu>
Date: Tue, 29 Mar 2005 11:03:21 -0800
You should be able to find reams of discussions about this traffic on Google over the past 20 months.... The MSBLAST worm (Summer 2003) included code to perform a SYN-flood DOS attack against windowsupdate.com, which at that time was an alias to the servers used by Microsoft's "Windows Update" service. As I recall, this behaviour was only active during the last week of each month. The DoS code would pseudo-randomly spoof the source addresses of the SYN packets. One of the early recommended countermeasures was to hard-code local DNS servers to resolve the alias used by the virus to 127.0.0.1, the canonical loopback address. The hope (incorrect, unfortunately) was that infected hosts would simply DoS themselves. Unfortunately, a SYN-flood attack only works against a host that wants to accept the inbound connections. Most machines infected with MSBLAST are not web servers, and so a SYN packet to port 80 doesn't tie up a connection "slot" -- it generates an RST packet back to the source address of the SYN. So near the end of every month, a few infected machines get back 127.0.0.1 when they resolve this old alias, and generate a few hundred random "source" addresses, and send them RST packets sourced from 127.0.0.1:80. [Most good perimeter security configurations begin with blocking of bogus source addresses, including 127.0.0.0/8, the RFC 1918 private blocks, and the multicast/reserved ranges above 224.0.0.0. So unless the infected machine is somewhere inside your network perimeter, these packets shouldn't reach the inside of your network. Contrary to popular myth, routers do not by default do any validation of source addresses, and so packets like this can travel for quite some way before hitting a source filter that blocks them. Ideally, an egress filter on the originating network would stop the outbound packet with an invalid source address, but hey -- these guys have a virus that's almost two years old on their network, so what are the odds they've got egress filtering in place?] David Gillett
-----Original Message----- From: Javier Otero De Alba [mailto:jotero () smartekh com] Sent: Monday, March 28, 2005 3:41 PM To: security-basics () securityfocus com; focus-ids () securityfocus com Subject: IP 127.0.0.1 I have next problem: We have found pakages in our net with source address 127.0.0.1 in any part of our wan. We are interested in find the possible cause. Tha antivirus does not detect any thing, IPS log shows next (in excel format): Name Value Name: Src127 Direction: Inbound Destination Port: 1919 Domain: /My Company Result Status: Suspicious Attack Name: IP: Packet has Invalid Address Source/Destination Address Benign Trigger Probability: Low comments Exploit ID: 1 State: Unacknowledged Subcategory: protocol-violation Source IP: 127.0.0.1 Detection Mechanism: protocol-anomaly Sensor ID: netsensor1 Alert ID 4.76E+18 Application Protocol: - - - - Source Port: 80 Destination IP: 10.1.10.3 Category: Exploit Severity: Imformational Network Protocol: tcp Time: 2005-02-23 18:03:53.000 CST Interface: Red_10.1.10.0 Name Value Name: Signature-1109274364921 Direction: Inbound Destination Port: 1975 Domain: /My Company Result Status: Blocked Attack Name: UDS-127.0.0.1 Benign Trigger Probability: High comments Exploit ID: 1 State: Unacknowledged Subcategory: - - - - Source IP: 127.0.0.1 Detection Mechanism: - - - - Sensor ID: netsensor1 Alert ID 4.75875E+18 Application Protocol: - - - - Source Port: 80 Destination IP: 10.1.3.210 Category: - - - - Severity: High Network Protocol: tcp Time: 2005-02-24 20:29:25.000 CST Interface: 3A-3B Name Value Name: Src127 Direction: Inbound Destination Port: 1111 Domain: /My Company Result Status: Suspicious Attack Name: IP: Packet has Invalid Address Source/Destination Address Benign Trigger Probability: Low comments Exploit ID: 1 State: Unacknowledged Subcategory: protocol-violation Source IP: 127.0.0.1 Detection Mechanism: protocol-anomaly Sensor ID: netsensor1 Alert ID 4.75875E+18 Application Protocol: - - - - Source Port: 80 Destination IP: 10.1.5.44 Category: Exploit Severity: Imformational Network Protocol: tcp Time: 2005-02-23 18:03:41.000 CST Interface: Red_10.1.5.0 Thanks in advance. Ing. Fco. Javier Otero De Alba Diplomado en Seguridad Informática ITESM CEM JNSA-S, JNSS-S ITStrap Product Manager Juniper Secure Access SSL 5243-4782 al 84 Ext.300 México, D.F.
Current thread:
- IP 127.0.0.1 Javier Otero De Alba (Mar 29)
- RE: IP 127.0.0.1 David Gillett (Mar 30)