[Dshield] From,80

Will Boege will_boege at i-tech.com
Mon Feb 16 20:07:45 GMT 2004

Blaster infected host tries to DDoS windowsupdate.com.  It looks it up
in DNS, and a DNS admin who followed some bad advice set
windowsupdate.com to resolve to, so blaster crafts a packet
with a spoofed source and as the destination, the packet is
then sent over the loopback on port 80.  The networking stack then
thinks it is a stale connection because the sequence numbers are not
what it is expecting, so it sends a RST back to the spoofed source
address (which is now the destination address).  Voila, packets to you
on port 80 from

Anyone feel free to correct me if I am wrong.

-----Original Message-----
From: list-bounces at dshield.org [mailto:list-bounces at dshield.org] On
Behalf Of EL KHAMLICHI Yassine
Sent: Monday, February 16, 2004 10:42 AM
To: 'General DShield Discussion List'
Subject: [Dshield] From,80

Hi All,

I Come back a while to the subject of Scans on the port 80 from I manage an ISP's network; and I notice these days a very
large Amount of packets from on port 80.

CFTCELA005LC3601#sh access-lists 115
Extended IP access list 115
    deny tcp any any eq 135 (24435 matches)
    deny udp any any eq 135
    deny ip host any (23619 matches)
    deny ip any host (3 matches)
    permit ip any any (28249 matches)

Would you please explain me in more details how Blaster is related to
this phenomena.

More information about the list mailing list