[Intrusions] Traffic spoofed from Localhost 80 - Update and Clarification

James C Slora Jr Jim.Slora at phra.com
Mon Oct 4 13:46:03 GMT 2004 

> 127.0.0.1:80 xx.xx.xx.xx:1903 [RST, ACK] Seq=0 Ack=0 Win=0 
> Len=0 TTL=125 Packet length is 0x3b - there is a 12-byte 
> trailer of all zeros. Target port varied, but otherwise all 
> the packets were the same.
 
> 2004-09-22 22:41:42 127.0.0.1 80 xx.xx.xx.xx 1653 JS > 
> 2004-09-22 22:42:33 127.0.0.1 80 xx.xx.xx.xx 1909 JS > 
> 2004-09-22 23:54:46 127.0.0.1 80 xx.xx.xx.xx 1096

First, clarification due to misinterpretation on another list:

These packets cannot indicate Blaster infection on the LAN inside the router
that found them, because they came from the upstream router.

They could be from Blaster on a remote network, but any number of
combinations of localhost nullrouting (as found in a variety of malware in
addition to manual misguided Blaster protection) and spoofed-source SYN
packets (from a DoS tool or malware) from the same machine can cause the
same traffic. Or they could simply be forged for a joke or a covert channel
(not that I'm suggesting this was a covert channel). There is no way for me
to know specifically what caused them on the remote network.

I still dispute the tendency to attribute all 127.0.0.1:80 to Blaster - just
as it does not make any sense to attribute all IIS directory traversal
attempts as "probably Nimda".

This traffic is of much lower intensity than proven Blaster blowback that I
have seen on the lists before. That may mean something, and may not. I was
sure at first, but it really could be a CPU-bound infected host.

Update:

After further investigation, the TTL 125 appears genuine. The traffic is
coming from a very nearby network neighbor. The ISP filters bogons further
upstream, and the sender is inside that filtering. The ISP filters NetBIOS
ports at the router above me but apparently chooses not to filter bogons
there. That explains why this traffic gets through while other bogon traffic
gets filtered.

The ISP also chose not to bother following the traffic across one other
router to track down their infected customer. So the traffic continues as
garbage to clutter the logs, while their customer's computer continues to
have its noisy infection.

More information about the Intrusions mailing list