RE: msblast DDos counter measures (More Insight Maybe?)

["Christopher Lyon" <cslyon () netsvcs com>]

> -----Original Message-----
> From: Vladimir Parkhaev [mailto:vladimir () arobas net]
> Sent: Friday, August 15, 2003 9:18 AM
> To: Christopher Lyon
> Cc: full-disclosure () lists netsys com
> Subject: Re: [Full-disclosure] msblast DDos counter measures (More
Insight
> Maybe?)
>
> Quoting Christopher Lyon (cslyon () netsvcs com):
> > Look at these traces to see what it is doing. Note the source and
> > destination ports and addresses.
> >
> > WINDOWSUPDATE.COM set to resolve normally
> > 19:48:23.963345 192.168.187.171.1823 > 204.79.188.11.http: S
> > 886046720:886046720(0) win 16384
> >
> > It is allowed to resolve normally and the source is just what we
think.
> > 192.168.x.x with the x's random numbers. This is what we all know
and
> > can prove.
>
> Yeah, OK. That is a SYN packet.
>
>
> > WINDOWSUPDATE.COM set to 127.0.0.1
> > 19:39:56.131653 localhost.localdomain.http > 192.168.83.210.1269: R
> > 0:0(0) ack 68419585 win 0
> >
> > Now look at the source, the source is 127.0.0.1 and the destination
is
> > the 1921.68.x.x with the x's being random numbers. That is what I am
> > saying is different. Also note that the dst port is 80.
>
> Yeah, OK. That is a RST packet! You are confused.
>
> Lemme have a second go at it:
> Your box 192.168.187.171 (infected).
> You set windowsupdate.com to 127.0.0.1
> Your infected box sends SYN to itself (dst=127.0.0.1) port 80,
> and randomly selected src in 192.168.x.y range and port. You do
> not see this packet, it does not go on the wire. Next your PC
> replies with a RST packet, the one you posted
> (19:39:56.131653 localhost.localdomain.http > 192.168.83.210.1269: R)
>                                                                   ^^^
>                                                           RST packet!
> because there is webserver listening on port 80 ( if there was, you
would
> have
> seen SYN/ACK packet).
>
>
>
> > So, what I am saying is that the syn flood will leave the box but it
> > will leave differently then we all think. So, can someone confirm
this?
> > I have been seeing this in two different environments now.
>
> Sure, I'll confirm:
>
> Packets with src=127.0.0.1 will be droped by routers and firewalls. If
you
> screw with DNS and windowsupdate.com you will have a lot of RST
packets
> flying inside your LAN.

OK,
Sorry that I didn't see that before but I see it now. Thanks.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html