Full Disclosure mailing list archives
Re: Odd packet?
From: Valentino Squilloni - Ouz <ouz () people it>
Date: Wed, 26 May 2004 10:57:28 +0200 (CEST)
On Wed, 26 May 2004, Maarten wrote: []
Especially 127.x.x.x is not routed by any ISP which is worth their name.But I've seen a lot of times those packet, especially the last year with blaster and DNS servers which resolved microsoftupdate.com in 127.0.0.1 to try to stop the DOS generated by blaster.Okay, let's analyse what you say here. Say your machine is looking for microsoftupdate.com. It asks a DNS server and the reply is: 127.0.0.1. So then your machine starts connecting with... 127.0.0.1. Whether it will succeed in that or not is wholly dependant on whether your local box is running a http server, but that is beside the point: in this scenario, at no point will you see 127.0.0.1 at your _outside_ interface, incoming nor outgoing...
Wait a moment, you miss a point: say my machine have blaster and looks for windowsupdate.com, and the reply is 127.0.0.1, that's` ok. But then I forge a packet I will spoof your IP, say 1.2.3.4 (it was a DOS to microsoftupdate, as the source IP, and 127.0.0.1:80 as the destination. If I have a web server listening on 127.0.0.1:80 I answer SYN/ACK If I have not the web server listening I answer RST, but anyway if I don't have the firewall I answer, and I answer to 1.2.3.4, which is you, and so I route it on my public interface. So you see a packet coming from the world with 127.0.0.1 ad the source address. I agree with you when you say that the providers (and maybe any router in the internet) should stops packet with an ip (src or dst) non routable; but if this is not always true for destination address, it is nearly never true for source address (ie. very few provider make egress filtering). Ouz --
avendo accesso come root ad un server remoto, come potrei fare a rendere il sistema non utilizzabile ma in modo sottile ?
Se NT puo' installarsi via FTP, e' la tua risposta. -- Leonardo Serni _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: Odd packet?, (continued)
- Re: Odd packet? Valdis . Kletnieks (May 26)
- Re: Odd packet? Steffen Schumacher (May 26)
- RE: Odd packet? Aditya, ALD [Aditya Lalit Deshmukh] (May 26)
- Re: Odd packet? Steffen Schumacher (May 27)
- Message not available
- Re: Odd packet? Valentino Squilloni - Ouz (May 26)
- Re: Odd packet? Steffen Schumacher (May 26)
- Re: Odd packet? Mike Klinke (May 26)
- Message not available
- Re: Odd packet? Valentino Squilloni - Ouz (May 27)
- Re: Odd packet? Valentino Squilloni - Ouz (May 25)
- Re: Odd packet? Maarten (May 25)
- Message not available
- Re: Odd packet? Valentino Squilloni - Ouz (May 26)
- Re: Odd packet? Gregh (May 25)