Re: [Full-Disclosure] Odd packet?

From: Valentino Squilloni - Ouz (ouz_at_people.it)
Date: 05/26/04

  • Next message: Valentino Squilloni - Ouz: "Re: [Full-Disclosure] Odd packet?"
    To: full-disclosure@lists.netsys.com
    Date: Wed, 26 May 2004 10:57:28 +0200 (CEST)
    
    

    On Wed, 26 May 2004, Maarten wrote:

    []
    > > > Especially 127.x.x.x is not routed by any ISP which is worth their name.
    > >
    > > But I've seen a lot of times those packet, especially the last year with
    > > blaster and DNS servers which resolved microsoftupdate.com in 127.0.0.1 to
    > > try to stop the DOS generated by blaster.
    >
    > Okay, let's analyse what you say here. Say your machine is looking for
    > microsoftupdate.com. It asks a DNS server and the reply is: 127.0.0.1.
    > So then your machine starts connecting with... 127.0.0.1. Whether it will
    > succeed in that or not is wholly dependant on whether your local box is
    > running a http server, but that is beside the point: in this scenario, at no
    > point will you see 127.0.0.1 at your _outside_ interface, incoming nor
    > outgoing...

    Wait a moment, you miss a point: say my machine have blaster and looks for
    windowsupdate.com, and the reply is 127.0.0.1, that's` ok.

    But then I forge a packet I will spoof your IP, say 1.2.3.4 (it was a DOS
    to microsoftupdate, as the source IP, and 127.0.0.1:80 as the destination.

    If I have a web server listening on 127.0.0.1:80 I answer SYN/ACK
    If I have not the web server listening I answer RST, but anyway if I don't
    have the firewall I answer, and I answer to 1.2.3.4, which is you, and so
    I route it on my public interface.

    So you see a packet coming from the world with 127.0.0.1 ad the source
    address.

    I agree with you when you say that the providers (and maybe any router in
    the internet) should stops packet with an ip (src or dst) non routable;
    but if this is not always true for destination address, it is nearly never
    true for source address (ie. very few provider make egress filtering).

    Ouz

    -- 
    >avendo accesso come root ad un server remoto, come potrei fare a rendere
    >il sistema non utilizzabile ma in modo sottile ?
    Se NT puo' installarsi via FTP, e' la tua risposta.
                    -- Leonardo Serni
    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html
    

  • Next message: Valentino Squilloni - Ouz: "Re: [Full-Disclosure] Odd packet?"

    Relevant Pages

    • RE: Transfer a sending packet to upper TCP/IP protocol layer in IM
      ... source and destination MAC addresses are the same for both IP versions. ... the destination NIC of IPv6 packet is the same as the destination NIC of my ... encapped IPv4 packet. ...
      (microsoft.public.development.device.drivers)
    • Re: Setting up Airport Express
      ... It is usually referred to as a "MAC Address", ... System Preferences> Network, select the appropriate network interface, ... When your computer sends a data packet out over an Ethernet (Airport ... The destination address needs to be known in advance. ...
      (uk.comp.sys.mac)
    • Re: TOE brain dump
      ... primarily over ATMish core networks. ... "if you can't find header address ... the flow, if you can find a VC from cache, send the packet there" ... destination node address selector bits in header, ...
      (Linux-Kernel)
    • Re: site to site vpn with internal NAT
      ... :interface. ... :192.168.1.101 tries to contact a peer on the remote side, ... so the *destination* IP 192.168.49.x will be changed to the destination ... and since there is a match, the packet will go out over the VPN. ...
      (comp.dcom.sys.cisco)
    • RE: Transfer a sending packet to upper TCP/IP protocol layer in IM
      ... the destination NIC of IPv6 packet is the same as the destination NIC of my ... encapped IPv4 packet. ... you should clearly realize that emulating non-existent IPv6 ...
      (microsoft.public.development.device.drivers)