[Dshield] From 127.0.0.1,80

Will Boege will_boege at i-tech.com
Mon Feb 16 20:07:45 GMT 2004


Blaster infected host tries to DDoS windowsupdate.com.  It looks it up
in DNS, and a DNS admin who followed some bad advice set
windowsupdate.com to resolve to 127.0.0.1, so blaster crafts a packet
with a spoofed source and 127.0.0.1 as the destination, the packet is
then sent over the loopback on port 80.  The networking stack then
thinks it is a stale connection because the sequence numbers are not
what it is expecting, so it sends a RST back to the spoofed source
address (which is now the destination address).  Voila, packets to you
on port 80 from 127.0.0.1.

Anyone feel free to correct me if I am wrong.

-----Original Message-----
From: list-bounces at dshield.org [mailto:list-bounces at dshield.org] On
Behalf Of EL KHAMLICHI Yassine
Sent: Monday, February 16, 2004 10:42 AM
To: 'General DShield Discussion List'
Subject: [Dshield] From 127.0.0.1,80


Hi All,

I Come back a while to the subject of Scans on the port 80 from
127.0.0.1. I manage an ISP's network; and I notice these days a very
large Amount of packets from 127.0.0.1 on port 80.

CFTCELA005LC3601#sh access-lists 115
Extended IP access list 115
    deny tcp any any eq 135 (24435 matches)
    deny udp any any eq 135
    deny ip host 127.0.0.1 any (23619 matches)
    deny ip any host 127.0.0.1 (3 matches)
    permit ip any any (28249 matches)

Would you please explain me in more details how Blaster is related to
this phenomena.





More information about the list mailing list