Security Incidents mailing list archives
RE: Localhost packets on WAN
From: "David Gillett" <gillettdavid () fhda edu>
Date: Thu, 30 Sep 2004 15:23:10 -0700
Blaster blowback is directed at the machine that generated the traffic, and occurs on the LAN of the infected host. If some miracle of misconfiguration guided a 127.0.0.1-destined packet out the gateway onto the upstream network, what upstream device would answer a SYN to 127.0.0.1 that did not originate from its own interface?
WRONG! (But see further down, below the "--".) Blaster blowback is directed to the spoofed addresses generated randomly by the blaster virus code, and traverses whatever networks it needs to to get from the infected machine to those addresses. The 127.0.0.1-destined traffic never traverses *any* network; it occurs completely within the infected host. The infected host is answering SYNs that its own DoS code generated to its own loopback interface. It's sending the *answers* out an interface, toward the sources that were spoofed on the SYNs. [It's true, a "bulletproof" implementation of the stack COULD reject anything for a 127.*.*.* address that didn't originate from one ON THIS MACHINE, but only if the stack implementers were willing to commingle layer 2 and layer 3 info to detect this special case. It's no surprise that real-world stacks don't bother.]
The source MAC address said the traffic was coming from my upstream's Cisco router. One day after my upstream stopped the traffic at my request, it has reappeared. More reason for suspicion, and Blaster still doesn't explain it.
The source address of any outside-originated traffic will be that of the gateway that last handled it. The infected machine is outside your network; it is possible to block this traffic at a gateway somewhere between the infected machine and your network. The point the ISP chose might not be the only gateway between your network and every infected machine in the world....
I don't know what it is. But it is simple to prove what it is *not* with the evidence already provided.
You've proven only that you don't understand the "Blaster blowback" scenario, and that a *single* infected machine PROBABLY doesn't account for all of the traffic you've seen. --
... what upstream device would answer a SYN to 127.0.0.1 that did not originate from its own interface?
Almost any properly-working one, PROVIDED THAT ITS PHYSICAL MAC ADDRESS ON THE LOCAL LAN WAS SPECIFIED AS THE DESTINATION. This, of course, is only possible from within the same LAN segment, **and is not actually part of the "Blaster blowback" hypothesis**. (See above; the SYNs in this hypothesis DO originate from its own interface.) But the fact that you ask this question suggests that your understanding of the operation of the network stack may not be any more solid than your understanding of the hypothesis itself. David Gillett
-----Original Message----- From: James C Slora Jr [mailto:Jim.Slora () phra com] Sent: Thursday, September 30, 2004 10:32 AM To: 'Incidents List' Subject: RE: Localhost packets on WANPlease offer some *plausible* alternate explanation. The Blaster blowback precisely explains every detail of traffic like this that I have seen directly or heard reported by others. Do you possess some additional evidence that contradicts it? Do you have a simpler explanation that adequately explains the evidence?David Nesting listed some plausible scenarios. I don't know what it is. But it is simple to prove what it is *not* with the evidence already provided. Blaster blowback is directed at the machine that generated the traffic, and occurs on the LAN of the infected host. If some miracle of misconfiguration guided a 127.0.0.1-destined packet out the gateway onto the upstream network, what upstream device would answer a SYN to 127.0.0.1 that did not originate from its own interface? The simplest explanation often tends to be correct, but not when the facts clearly contradict it. On my own traffic, I have additional evidence that it is not Blaster blowback. The source MAC address said the traffic was coming from my upstream's Cisco router. One day after my upstream stopped the traffic at my request, it has reappeared. More reason for suspicion, and Blaster still doesn't explain it. I took great pains to make absolutely sure there was no local stimulus at all - I only answered ARPs and otherwise kept silent while sniffing. Sure enough the 127.0.0.1 traffic was completely unsolicited. David's scenarios could apply if someone else was spoofing my address or NATing traffic to me. But again, that is speculation - there is not enough data to prove what it is, and the proof is all upstream of my network so I will not have access to it. If you want plausible speculation, I'd say someone might have compromised the upstream router, changed ACLs and set up NATing to hide the source of hostile probes from some other compromised machines downstream of the router. Odd repetitions in the target ports of the traffic could indicate something more complex.
Current thread:
- Re: Localhost packets on WAN Kirby Angell (Sep 30)
- <Possible follow-ups>
- RE: Localhost packets on WAN David Gillett (Sep 30)
- RE: Localhost packets on WAN James C Slora Jr (Oct 04)
- RE: Localhost packets on WAN James C Slora Jr (Oct 04)