Full Disclosure mailing list archives

Re: Odd packet?

From: Valentino Squilloni - Ouz <ouz () people it>
Date: Wed, 26 May 2004 10:57:28 +0200 (CEST)

On Wed, 26 May 2004, Maarten wrote:

[]

Especially 127.x.x.x is not routed by any ISP which is worth their name.


But I've seen a lot of times those packet, especially the last year with
blaster and DNS servers which resolved microsoftupdate.com in 127.0.0.1 to
try to stop the DOS generated by blaster.


Okay, let's analyse what you say here. Say your machine is looking for
microsoftupdate.com. It asks a DNS server and the reply is: 127.0.0.1.
So then your machine starts connecting with... 127.0.0.1. Whether it will
succeed in that or not is wholly dependant on whether your local box is
running a http server, but that is beside the point: in this scenario, at no
point will you see 127.0.0.1 at your _outside_ interface, incoming nor
outgoing...


Wait a moment, you miss a point: say my machine have blaster and looks for
windowsupdate.com, and the reply is 127.0.0.1, that's` ok.

But then I forge a packet I will spoof your IP, say 1.2.3.4 (it was a DOS
to microsoftupdate, as the source IP, and 127.0.0.1:80 as the destination.

If I have a web server listening on 127.0.0.1:80 I answer SYN/ACK
If I have not the web server listening I answer RST, but anyway if I don't
have the firewall I answer, and I answer to 1.2.3.4, which is you, and so
I route it on my public interface.

So you see a packet coming from the world with 127.0.0.1 ad the source
address.

I agree with you when you say that the providers (and maybe any router in
the internet) should stops packet with an ip (src or dst) non routable;
but if this is not always true for destination address, it is nearly never
true for source address (ie. very few provider make egress filtering).

Ouz

--

avendo accesso come root ad un server remoto, come potrei fare a rendere
il sistema non utilizzabile ma in modo sottile ?

Se NT puo' installarsi via FTP, e' la tua risposta.
                -- Leonardo Serni

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

Re: Odd packet?, (continued)
- - - Re: Odd packet? Valdis . Kletnieks (May 26)
    - Re: Odd packet? Steffen Schumacher (May 26)
    - RE: Odd packet? Aditya, ALD [Aditya Lalit Deshmukh] (May 26)
    - Re: Odd packet? Steffen Schumacher (May 27)
    - Message not available
    - Re: Odd packet? Valentino Squilloni - Ouz (May 26)
    - Re: Odd packet? Steffen Schumacher (May 26)
    - Re: Odd packet? Mike Klinke (May 26)
    - Message not available
    - Re: Odd packet? Valentino Squilloni - Ouz (May 27)
  - Message not available
    - Re: Odd packet? Valentino Squilloni - Ouz (May 25)
    - Re: Odd packet? Maarten (May 25)
    - Message not available
    - Re: Odd packet? Valentino Squilloni - Ouz (May 26)
- RE: Odd packet? full-disclosure (May 25)
  - Re: Odd packet? Gregh (May 25)
- Re: Odd packet? full-disclosure (May 26)
- Re: Odd packet? Skip Duckwall (May 26)
- RE: Odd packet? full-disclosure (May 28)
- RE: Odd packet? full-disclosure (May 28)