[Dshield] Spoofed attack from IP 127.0.0.1

Delovska-Trajkova, Dusanka Trajd at cof.org
Tue Oct 28 15:43:27 GMT 2003


We have ISA server, so here is a response I found on this topic few days ago:

http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=2;t=010554#000005

It's not a case of your server or client machines being infected with blaster, more that a remote machine is the source of the infection.

Check out <http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.d.worm.html> for further information but blaster basically port-scans machines hunting for vulnerable targets. If a machine becomes infected it then attempts to DDOS windowsupdate.com.
In our case where ISA is reporting these port-scans from 127.0.0.1 it would appear as though the OS is responding to the request (attempted infection) with a RST ACK to windowsupdate.com... which resolves back to 127.0.0.1.
Hence, ISA then thinks that it is receiving a response to a packet it didn't send.. and so the confusion begins.

The end result is pretty much benign in that all's fine, ISA is doing its work. The problem is of course that if, like me, you have pager alerts or other actions take place because of spoofs/scans then it's hard to distinguish real from 'fake' and then your total attention is reduced. I've come to the conclusion that I'll just let ISA log and send off an e-mail alert to the appropriate location but I should otherwise ignore it. After all, if ISA can detect it then it knows what to do with it... so why should I bother? It's things that ARENT detected that we should be worried about.

It makes sense to me.

Dusanka


 -----Original Message-----
From: 	Deb Hale [mailto:haled at pionet.net] 
Sent:	Tuesday, October 28, 2003 10:32 AM
To:	'General DShield Discussion List'
Subject:	RE: [Dshield] Spoofed attack from IP 127.0.0.1

I am seeing the same thing on one of my Internet connections.  I am trying
to figure out what is going on.  If anyone has any ideas, I would appreciate
input.  Deb




Hi,

We are under spoofed attack from IP 127.0.0.1 almost every minute.  Is there
anything I can do?

Thanks,
Dusanka

PS: Here are few log records:
2003-10-28	13:51:45	127.0.0.1	66.28.8.96	Tcp	80
1310	RST ACK 	Spoof	66.28.20.42	45 00 00 28 1e 57 00 00 77
06 5b fc 7f 00 00 01 42 1c 08 60	00 50 05 1e 00 00 00 00 09 fd 00 01
50 14 00 00 d6 e7 00 00
2003-10-28	13:54:19	127.0.0.1	66.28.8.108	Tcp	80
1131	RST ACK 	Spoof	66.28.20.42	45 00 00 28 47 e0 00 00 77
06 32 67 7f 00 00 01 42 1c 08 6c	00 50 04 6b 00 00 00 00 10 e3 00 01
50 14 00 00 d0 a8 00 00
2003-10-28	13:54:27	127.0.0.1	66.28.8.126	Tcp	80
1346	RST ACK 	Spoof	66.28.20.42	45 00 00 28 4a 90 00 00 77
06 2f a5 7f 00 00 01 42 1c 08 7e	00 50 05 42 00 00 00 00 31 9d 00 01
50 14 00 00 af 05 00 00
2003-10-28	13:54:27	127.0.0.1	66.28.8.126	Tcp	80
1346	RST ACK 	Spoof	66.28.20.42	45 00 00 28 4a 90 00 00 77
06 2f a5 7f 00 00 01 42 1c 08 7e	00 50 05 42 00 00 00 00 31 9d 00 01
50 14 00 00 af 05 00 00
2003-10-28	13:57:15	127.0.0.1	66.28.8.101	Tcp	80
1400	RST ACK 	Spoof	66.28.20.42	45 00 00 28 77 ec 00 00 77
06 02 62 7f 00 00 01 42 1c 08 65	00 50 05 78 00 00 00 00 13 6e 00 01
50 14 00 00 cd 17 00 00
2003-10-28	13:58:21	127.0.0.1	66.28.8.101	Tcp	80
1547	RST ACK 	Spoof	66.28.20.42	45 00 00 28 89 d3 00 00 77
06 f0 7a 7f 00 00 01 42 1c 08 65	00 50 06 0b 00 00 00 00 09 21 00 01
50 14 00 00 d6 d1 00 00
2003-10-28	13:58:45	127.0.0.1	66.28.8.15	Tcp	80
1938	RST ACK 	BLOCKED	66.28.20.42	45 00 00 28 90 4e 00 00 77
06 ea 55 7f 00 00 01 42 1c 08 0f	00 50 07 92 00 00 00 00 3d 67 00 01
50 14 00 00 a1 5a 00 00
2003-10-28	13:59:09	127.0.0.1	66.28.8.113	Tcp	80
1154	RST ACK 	Spoof	66.28.20.42	45 00 00 28 96 8c 00 00 77
06 e3 b5 7f 00 00 01 42 1c 08 71	00 50 04 82 00 00 00 00 29 87 00 01
50 14 00 00 b7 e8 00 00
2003-10-28	13:59:28	127.0.0.1	66.28.8.112	Tcp	80
1023	RST ACK 	Spoof	66.28.20.42	45 00 00 28 9b 83 00 00 77
06 de bf 7f 00 00 01 42 1c 08 70	00 50 03 ff 00 00 00 00 70 bc 00 01
50 14 00 00 71 37 00 00
2003-10-28	14:01:24	127.0.0.1	66.28.8.97	Tcp	80
1681	RST ACK 	Spoof	66.28.20.42	45 00 00 28 b9 c4 00 00 77
06 c0 8d 7f 00 00 01 42 1c 08 61	00 50 06 91 00 00 00 00 1c 1a 00 01
50 14 00 00 c3 56 00 00
2003-10-28	14:01:43	127.0.0.1	66.28.8.96	Tcp	80
1782	RST ACK 	Spoof	66.28.20.42	45 00 00 28 be a2 00 00 77
06 bb b0 7f 00 00 01 42 1c 08 60	00 50 06 f6 00 00 00 00 63 4f 00 01
50 14 00 00 7b bd 00 00
2003-10-28	14:02:14	127.0.0.1	66.28.8.14	Tcp	80
1037	RST ACK 	BLOCKED	66.28.20.42	45 00 00 28 c6 bd 00 00 77
06 b3 e7 7f 00 00 01 42 1c 08 0e	00 50 04 0d 00 00 00 00 28 03 00 01
50 14 00 00 ba 44 00 00
2003-10-28	14:03:12	127.0.0.1	66.28.8.106	Tcp	80
1338	RST ACK 	Spoof	66.28.20.42	45 00 00 28 d6 6e 00 00 77
06 a3 da 7f 00 00 01 42 1c 08 6a	00 50 05 3a 00 00 00 00 21 c5 00 01
50 14 00 00 be f9 00 00
2003-10-28	14:03:30	127.0.0.1	66.28.8.105	Tcp	80
1439	RST ACK 	Spoof	66.28.20.42	45 00 00 28 db 3b 00 00 77
06 9f 0e 7f 00 00 01 42 1c 08 69	00 50 05 9f 00 00 00 00 68 fa 00 01
50 14 00 00 77 60 00 00
2003-10-28	14:03:42	127.0.0.1	66.28.8.118	Tcp	80
1075	RST ACK 	Spoof	66.28.20.42	45 00 00 28 de 63 00 00 77
06 9b d9 7f 00 00 01 42 1c 08 76	00 50 04 33 00 00 00 00 7a f7 00 01
50 14 00 00 66 c2 00 00
2003-10-28	14:04:54	127.0.0.1	66.28.8.12	Tcp	80
1091	RST ACK 	BLOCKED	66.28.20.42	45 00 00 28 f4 5f 00 00 77
06 86 47 7f 00 00 01 42 1c 08 0c	00 50 04 43 00 00 00 00 64 21 00 01
50 14 00 00 7d f2 00 00
2003-10-28	14:06:33	127.0.0.1	66.28.8.101	Tcp	80
1573	RST ACK 	Spoof	66.28.20.42	45 00 00 28 0e 03 00 00 77
06 6c 4b 7f 00 00 01 42 1c 08 65	00 50 06 25 00 00 00 00 7b f3 00 01
50 14 00 00 63 e5 00 00
2003-10-28	14:06:44	127.0.0.1	66.28.8.114	Tcp	80
1209	RST ACK 	Spoof	66.28.20.42	45 00 00 28 11 25 00 00 77
06 69 1c 7f 00 00 01 42 1c 08 72	00 50 04 b9 00 00 00 00 0d f0 00 01
50 14 00 00 d3 47 00 00
2003-10-28	14:07:03	127.0.0.1	66.28.8.113	Tcp	80
1310	RST ACK 	Spoof	66.28.20.42	45 00 00 28 15 e8 00 00 77
06 64 5a 7f 00 00 01 42 1c 08 71	00 50 05 1e 00 00 00 00 55 25 00 01
50 14 00 00 8b ae 00 00
2003-10-28	14:07:51	127.0.0.1	66.28.8.126	Tcp	80
1685	RST ACK 	Spoof	66.28.20.42	45 00 00 28 22 de 00 00 77
06 57 57 7f 00 00 01 42 1c 08 7e	00 50 06 95 00 00 00 00 75 8b 00 01
50 14 00 00 69 c4 00 00



_______________________________________________
list mailing list
list at dshield.org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list


_______________________________________________
list mailing list
list at dshield.org
To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list





More information about the list mailing list