Full Disclosure mailing list archives

Re: msblast DDos counter measures (More Insight Maybe?)


From: Vladimir Parkhaev <vladimir () arobas net>
Date: Fri, 15 Aug 2003 12:17:44 -0400

Quoting Christopher Lyon (cslyon () netsvcs com):
Look at these traces to see what it is doing. Note the source and
destination ports and addresses.  

WINDOWSUPDATE.COM set to resolve normally
19:48:23.963345 192.168.187.171.1823 > 204.79.188.11.http: S
886046720:886046720(0) win 16384

It is allowed to resolve normally and the source is just what we think.
192.168.x.x with the x's random numbers. This is what we all know and
can prove. 

Yeah, OK. That is a SYN packet.




WINDOWSUPDATE.COM set to 127.0.0.1
19:39:56.131653 localhost.localdomain.http > 192.168.83.210.1269: R
0:0(0) ack 68419585 win 0

Now look at the source, the source is 127.0.0.1 and the destination is
the 1921.68.x.x with the x's being random numbers. That is what I am
saying is different. Also note that the dst port is 80. 

Yeah, OK. That is a RST packet! You are confused.

Lemme have a second go at it:
Your box 192.168.187.171 (infected).
You set windowsupdate.com to 127.0.0.1
Your infected box sends SYN to itself (dst=127.0.0.1) port 80,
and randomly selected src in 192.168.x.y range and port. You do 
not see this packet, it does not go on the wire. Next your PC 
replies with a RST packet, the one you posted 
(19:39:56.131653 localhost.localdomain.http > 192.168.83.210.1269: R)
                                                                  ^^^
                                                          RST packet!
because there is webserver listening on port 80 ( if there was, you  would have
seen SYN/ACK packet).




So, what I am saying is that the syn flood will leave the box but it
will leave differently then we all think. So, can someone confirm this?
I have been seeing this in two different environments now.



Sure, I'll confirm:

Packets with src=127.0.0.1 will be droped by routers and firewalls. If you
screw with DNS and windowsupdate.com you will have a lot of RST packets
flying inside your LAN.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Current thread: