Full Disclosure mailing list archives
Re: Odd packet?
From: Skip Duckwall <skip () duckwall net>
Date: Wed, 26 May 2004 14:33:27 -0500 (CDT)
This traffic is the result of machines on the internet being infected with Blaster.E. This worm attempts to DOS the website of kimble.org, which currently resolves to 127.0.0.1, whereas none of the other variants have any targets. What happens(similar writeups can be found from google): The worm attempts to DOS kimble.org with a spoofed source address from a high port. So, the machine attempts to connect to kimble.org (127.0.0.1) on port 80. This will usually fail (unless you happen to be running a local webserver) causing a packet with a RST+ACK (the TCP way of the port not being there) from localhost (127.0.0.1) on port 80 to whatever the spoofed IP address and high port were. So, you will get (unless egress filtering is in place) a packet from 127.0.0.1 with RST+ACK destined for a machine on your network. Hope this clears things up for people... Alva Lease 'Skip' Duckwall IV CISSP, RHCE, SCSA skip () duckwall net _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: Odd packet?, (continued)
- Message not available
- Re: Odd packet? Valentino Squilloni - Ouz (May 26)
- Re: Odd packet? Steffen Schumacher (May 26)
- Re: Odd packet? Mike Klinke (May 26)
- Message not available
- Re: Odd packet? Valentino Squilloni - Ouz (May 27)
- Re: Odd packet? Valentino Squilloni - Ouz (May 25)
- Re: Odd packet? Maarten (May 25)
- Message not available
- Re: Odd packet? Valentino Squilloni - Ouz (May 26)
- Re: Odd packet? Gregh (May 25)