[Dshield] New variant of Blaster?

James Riden j.riden at massey.ac.nz
Thu Jun 17 00:04:03 GMT 2004


"Security Guy" <securityguy at dslextreme.com> writes:

> We're getting a lot of what looks like Blaster (spoofs 127.0.0.1, attack
> port is always 80, random high number victim port) but it's not setting off
> the Blaster signatures already loaded into the IDS.  The problem is that our
> lame IDS doesn't give us a MAC address - just the loopback adaptor address.

Blaster needed to establish a TCP session, so it had to use the
correct source IP address - it also hit port 135/tcp, not 80. A
characteristic of Blaster I remember is fairly linear scanning through
a class B or so, with about 10-20 SYNs / second.

It's fairly curious, because I don't see how spoofing 127.0.0.1 as the
source address is going to help exploit a webserver - you'll need a
TCP session to deliver any payload, and you won't get one with a
spoofed IP address.

cheers,
 Jamie
-- 
James Riden / j.riden at massey.ac.nz / Systems Security Engineer
Information Technology Services, Massey University, NZ.
GPG public key available at: http://www.massey.ac.nz/~jriden/




More information about the list mailing list