Security Incidents mailing list archives

RE: Localhost packets on WAN

From: "David Gillett" <gillettdavid () fhda edu>
Date: Thu, 30 Sep 2004 15:23:10 -0700

Blaster blowback is directed at the machine that generated 
the traffic, and
occurs on the LAN of the infected host. If some miracle of 
misconfiguration
guided a 127.0.0.1-destined packet out the gateway onto the upstream
network, what upstream device would answer a SYN to 127.0.0.1 
that did not
originate from its own interface?


  WRONG!  (But see further down, below the "--".)

  Blaster blowback is directed to the spoofed addresses generated
randomly by the blaster virus code, and traverses whatever networks
it needs to to get from the infected machine to those addresses.
  The 127.0.0.1-destined traffic never traverses *any* network; it
occurs completely within the infected host.  The infected host is
answering SYNs that its own DoS code generated to its own loopback
interface.  It's sending the *answers* out an interface, toward
the sources that were spoofed on the SYNs.  [It's true, a "bulletproof"
implementation of the stack COULD reject anything for a 127.*.*.* 
address that didn't originate from one ON THIS MACHINE, but only if 
the stack implementers were willing to commingle layer 2 and layer 3 
info to detect this special case.  It's no surprise that real-world
stacks don't bother.]

The source MAC address said the traffic was coming from my 
upstream's Cisco
router. One day after my upstream stopped the traffic at my 
request, it has
reappeared. More reason for suspicion, and Blaster still 
doesn't explain it.


  The source address of any outside-originated traffic will be 
that of the gateway that last handled it.  The infected machine
is outside your network; it is possible to block this traffic
at a gateway somewhere between the infected machine and your 
network.  The point the ISP chose might not be the only gateway 
between your network and every infected machine in the world....

I don't know what it is. But it is simple to prove what it is 
*not* with the evidence already provided.


  You've proven only that you don't understand the "Blaster blowback"
scenario, and that a *single* infected machine PROBABLY doesn't account 
for all of the traffic you've seen.

--

... what upstream device would answer a SYN to 127.0.0.1 
that did not originate from its own interface?


  Almost any properly-working one, PROVIDED THAT ITS PHYSICAL
MAC ADDRESS ON THE LOCAL LAN WAS SPECIFIED AS THE DESTINATION.
This, of course, is only possible from within the same LAN segment,
**and is not actually part of the "Blaster blowback" hypothesis**.
(See above; the SYNs in this hypothesis DO originate from its own
interface.)  But the fact that you ask this question suggests that 
your understanding of the operation of the network stack may not
be any more solid than your understanding of the hypothesis itself.

David Gillett

-----Original Message-----
From: James C Slora Jr [mailto:Jim.Slora () phra com]
Sent: Thursday, September 30, 2004 10:32 AM
To: 'Incidents List'
Subject: RE: Localhost packets on WAN

  Please offer some *plausible* alternate explanation.  The 
Blaster blowback precisely explains every detail of traffic 
like this that I have seen directly or heard reported by 
others.  Do you possess some additional evidence that 
contradicts it?  Do you have a simpler explanation that 
adequately explains the evidence?


David Nesting listed some plausible scenarios.

I don't know what it is. But it is simple to prove what it is 
*not* with the
evidence already provided.

Blaster blowback is directed at the machine that generated 
the traffic, and
occurs on the LAN of the infected host. If some miracle of 
misconfiguration
guided a 127.0.0.1-destined packet out the gateway onto the upstream
network, what upstream device would answer a SYN to 127.0.0.1 
that did not
originate from its own interface?

The simplest explanation often tends to be correct, but not 
when the facts
clearly contradict it.

On my own traffic, I have additional evidence that it is not Blaster
blowback.

The source MAC address said the traffic was coming from my 
upstream's Cisco
router. One day after my upstream stopped the traffic at my 
request, it has
reappeared. More reason for suspicion, and Blaster still 
doesn't explain it.

I took great pains to make absolutely sure there was no local 
stimulus at
all - I only answered ARPs and otherwise kept silent while 
sniffing. Sure
enough the 127.0.0.1 traffic was completely unsolicited. 
David's scenarios
could apply if someone else was spoofing my address or NATing 
traffic to me.
But again, that is speculation - there is not enough data to 
prove what it
is, and the proof is all upstream of my network so I will not 
have access to
it. 

If you want plausible speculation, I'd say someone might have 
compromised
the upstream router, changed ACLs and set up NATing to hide 
the source of
hostile probes from some other compromised machines downstream of the
router. Odd repetitions in the target ports of the traffic 
could indicate
something more complex.

Current thread:

Re: Localhost packets on WAN Kirby Angell (Sep 30)
- <Possible follow-ups>
- RE: Localhost packets on WAN David Gillett (Sep 30)
  - RE: Localhost packets on WAN James C Slora Jr (Oct 04)
  - RE: Localhost packets on WAN James C Slora Jr (Oct 04)