RE: loopback address entries on router logs...

["David Gillett" <gillettdavid () fhda edu>]

  Last year, a virus/worm called MSBLAST spread widely, and threatened
to launch a denial-of-service attack against windowsupdate.com .  In
the early days of trying to contain the spread of this virus, a common
suggestion was to add entries to local DNS servers and/or hosts files
to resolve the name "windowsupdate.com" to the loopback address.  The
theory was that when infected machines tried to launch the denial-of-service
attack, they'd just DoS themselves.
  That would have worked, except that the virus spoofed random source
addresses for the attack.  So when an infected machine launches the DoS,
it hits 127.0.0.1 (itself), port 80, with spoofed packets from a bunch
of random source addresses.
  Generally, infected machines don't have a web server running, so they
wind up generating a bunch of "go away" or "unreachable" messages, FROM
127.0.0.1/80, TO <randomly spoofed addresses that appeared to be sources>.

  This question has come up 1-2 times a month ever since....

David Gillett


> -----Original Message-----
> From: Murad Talukdar [mailto:talukdar_m () subway com]
> Sent: Sunday, June 20, 2004 6:54 PM
> To: security-basics () lists securityfocus com
> Subject: loopback address entries on router logs...
>
>
> Hi,
> I've suddenly started to get entries in my firewall logs for
> a loopback
> address. Destination is various ports. Anyone got any ideas
> as to what this
> is? Or how to find out where it's coming from?
> It's happening a few times a day now.
> Thanks:
> Sun, 06/20/2004 15:00:16 - TCP connection dropped -
> Source:127.0.0.1, 80,
> WAN - Destination:210.x.x.x, 1794, LAN - 'Suspicious TCP Data'
> Sun, 06/20/2004 16:17:54 - TCP connection dropped -
> Source:127.0.0.1, 80,
> WAN - Destination:210.x.x.x, 1322, LAN - 'Suspicious TCP Data'
> Sun, 06/20/2004 18:16:38 - TCP connection dropped -
> Source:127.0.0.1, 80,
> WAN - Destination:210.x.x.x, 1536, LAN - 'Suspicious TCP Data'
>
>
>
>
> Murad Talukdar
> Murad Talukdar
>
>
>
>
> --------------------------------------------------------------
> -------------
> Ethical Hacking at the InfoSec Institute. Mention this ad and
> get $545 off
> any course! All of our class sizes are guaranteed to be 10
> students or less
> to facilitate one-on-one interaction with one of our expert
> instructors.
> Attend a course taught by an expert instructor with years of
> in-the-field
> pen testing experience in our state of the art hacking lab.
> Master the skills
> of an Ethical Hacker to better assess the security of your
> organization.
> Visit us at:
> http://www.infosecinstitute.com/courses/ethical_hacking_training.html
> --------------------------------------------------------------
> --------------


---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
any course! All of our class sizes are guaranteed to be 10 students or less 
to facilitate one-on-one interaction with one of our expert instructors. 
Attend a course taught by an expert instructor with years of in-the-field 
pen testing experience in our state of the art hacking lab. Master the skills 
of an Ethical Hacker to better assess the security of your organization. 
Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------