RE: IP 127.0.0.1

["David Gillett" <gillettdavid () fhda edu>]

  You should be able to find reams of discussions about this traffic
on Google over the past 20 months....

  The MSBLAST worm (Summer 2003) included code to perform a SYN-flood
DOS attack against windowsupdate.com, which at that time was an alias
to the servers used by Microsoft's "Windows Update" service.  As I
recall, this behaviour was only active during the last week of each 
month.  The DoS code would pseudo-randomly spoof the source addresses
of the SYN packets.
  One of the early recommended countermeasures was to hard-code local
DNS servers to resolve the alias used by the virus to 127.0.0.1, the
canonical loopback address.  The hope (incorrect, unfortunately) was
that infected hosts would simply DoS themselves.

  Unfortunately, a SYN-flood attack only works against a host that wants
to accept the inbound connections.  Most machines infected with MSBLAST
are not web servers, and so a SYN packet to port 80 doesn't tie up a 
connection "slot" -- it generates an RST packet back to the source address
of the SYN.  So near the end of every month, a few infected machines get
back 127.0.0.1 when they resolve this old alias, and generate a few hundred
random "source" addresses, and send them RST packets sourced from
127.0.0.1:80.

  [Most good perimeter security configurations begin with blocking of
bogus source addresses, including 127.0.0.0/8, the RFC 1918 private blocks,
and the multicast/reserved ranges above 224.0.0.0.  So unless the infected
machine is somewhere inside your network perimeter, these packets shouldn't 
reach the inside of your network.
  Contrary to popular myth, routers do not by default do any validation of
source addresses, and so packets like this can travel for quite some way
before hitting a source filter that blocks them.  Ideally, an egress filter
on the originating network would stop the outbound packet with an invalid
source address, but hey -- these guys have a virus that's almost two years 
old on their network, so what are the odds they've got egress filtering in
place?]

David Gillett

  

> -----Original Message-----
> From: Javier Otero De Alba [mailto:jotero () smartekh com]
> Sent: Monday, March 28, 2005 3:41 PM
> To: security-basics () securityfocus com; focus-ids () securityfocus com
> Subject: IP 127.0.0.1
>
>
> I have next problem:
>
> We have found pakages in our net with source address 
> 127.0.0.1 in any part of our wan.
> We are interested in find the possible cause.
> Tha antivirus does not detect any thing, IPS log shows next 
> (in excel format):
>
> Name  Value
>
> Name: Src127
> Direction:    Inbound
> Destination Port:     1919
> Domain:       /My Company
> Result Status:        Suspicious
> Attack Name:  IP: Packet has Invalid Address 
> Source/Destination Address
> Benign Trigger Probability:   Low
> comments      
> Exploit ID:   1
> State:        Unacknowledged
> Subcategory:  protocol-violation
> Source IP:    127.0.0.1
> Detection Mechanism:  protocol-anomaly
> Sensor ID:    netsensor1
> Alert ID      4.76E+18
> Application Protocol: - - - -
> Source Port:  80
> Destination IP:       10.1.10.3
> Category:     Exploit
> Severity:     Imformational
> Network Protocol:     tcp
> Time: 2005-02-23 18:03:53.000 CST
> Interface:    Red_10.1.10.0
>
> Name  Value
>
> Name: Signature-1109274364921
> Direction:    Inbound
> Destination Port:     1975
> Domain:       /My Company
> Result Status:        Blocked
> Attack Name:  UDS-127.0.0.1
> Benign Trigger Probability:   High
> comments      
> Exploit ID:   1
> State:        Unacknowledged
> Subcategory:  - - - -
> Source IP:    127.0.0.1
> Detection Mechanism:  - - - -
> Sensor ID:    netsensor1
> Alert ID      4.75875E+18
> Application Protocol: - - - -
> Source Port:  80
> Destination IP:       10.1.3.210
> Category:     - - - -
> Severity:     High
> Network Protocol:     tcp
> Time: 2005-02-24 20:29:25.000 CST
> Interface:    3A-3B
>
> Name  Value
>
> Name: Src127
> Direction:    Inbound
> Destination Port:     1111
> Domain:       /My Company
> Result Status:        Suspicious
> Attack Name:  IP: Packet has Invalid Address 
> Source/Destination Address
> Benign Trigger Probability:   Low
> comments      
> Exploit ID:   1
> State:        Unacknowledged
> Subcategory:  protocol-violation
> Source IP:    127.0.0.1
> Detection Mechanism:  protocol-anomaly
> Sensor ID:    netsensor1
> Alert ID      4.75875E+18
> Application Protocol: - - - -
> Source Port:  80
> Destination IP:       10.1.5.44
> Category:     Exploit
> Severity:     Imformational
> Network Protocol:     tcp
> Time: 2005-02-23 18:03:41.000 CST
> Interface:    Red_10.1.5.0
>
> Thanks in advance.
>
>
> Ing. Fco. Javier Otero De Alba
> Diplomado en Seguridad Informática ITESM CEM 
> JNSA-S, JNSS-S
> ITStrap
> Product Manager 
> Juniper Secure Access SSL
> 5243-4782 al 84 Ext.300
> México, D.F.