Full Disclosure mailing list archives

Re: Odd packet?

From: Skip Duckwall <skip () duckwall net>
Date: Wed, 26 May 2004 14:33:27 -0500 (CDT)

This traffic is the result of machines on the internet being infected with
Blaster.E.  This worm attempts to DOS the website of kimble.org, which
currently resolves to 127.0.0.1, whereas none of the other variants have
any targets.

What happens(similar writeups can be found from google):

The worm attempts to DOS kimble.org with a spoofed source address from a
high port.

So, the machine attempts to connect to kimble.org (127.0.0.1) on port 80.

This will usually fail (unless you happen to be running a local webserver)
causing a packet with a RST+ACK (the TCP way of the port not being there)
from localhost (127.0.0.1) on port 80 to whatever the spoofed IP address
and high port were.

So, you will get (unless egress filtering is in place) a packet from
127.0.0.1 with RST+ACK destined for a machine on your network.


Hope this clears things up for people...

Alva Lease 'Skip' Duckwall IV
CISSP, RHCE, SCSA
skip () duckwall net

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

Re: Odd packet?, (continued)
- - - Message not available
    - Re: Odd packet? Valentino Squilloni - Ouz (May 26)
    - Re: Odd packet? Steffen Schumacher (May 26)
    - Re: Odd packet? Mike Klinke (May 26)
    - Message not available
    - Re: Odd packet? Valentino Squilloni - Ouz (May 27)
  - Message not available
    - Re: Odd packet? Valentino Squilloni - Ouz (May 25)
    - Re: Odd packet? Maarten (May 25)
    - Message not available
    - Re: Odd packet? Valentino Squilloni - Ouz (May 26)
- RE: Odd packet? full-disclosure (May 25)
  - Re: Odd packet? Gregh (May 25)
- Re: Odd packet? full-disclosure (May 26)
- Re: Odd packet? Skip Duckwall (May 26)
- RE: Odd packet? full-disclosure (May 28)
- RE: Odd packet? full-disclosure (May 28)