Re: [Full-Disclosure] Odd packet?

From: Valentino Squilloni - Ouz (
Date: 05/26/04

  • Next message: Valentino Squilloni - Ouz: "Re: [Full-Disclosure] Odd packet?"
    Date: Wed, 26 May 2004 10:57:28 +0200 (CEST)

    On Wed, 26 May 2004, Maarten wrote:

    > > > Especially 127.x.x.x is not routed by any ISP which is worth their name.
    > >
    > > But I've seen a lot of times those packet, especially the last year with
    > > blaster and DNS servers which resolved in to
    > > try to stop the DOS generated by blaster.
    > Okay, let's analyse what you say here. Say your machine is looking for
    > It asks a DNS server and the reply is:
    > So then your machine starts connecting with... Whether it will
    > succeed in that or not is wholly dependant on whether your local box is
    > running a http server, but that is beside the point: in this scenario, at no
    > point will you see at your _outside_ interface, incoming nor
    > outgoing...

    Wait a moment, you miss a point: say my machine have blaster and looks for, and the reply is, that's` ok.

    But then I forge a packet I will spoof your IP, say (it was a DOS
    to microsoftupdate, as the source IP, and as the destination.

    If I have a web server listening on I answer SYN/ACK
    If I have not the web server listening I answer RST, but anyway if I don't
    have the firewall I answer, and I answer to, which is you, and so
    I route it on my public interface.

    So you see a packet coming from the world with ad the source

    I agree with you when you say that the providers (and maybe any router in
    the internet) should stops packet with an ip (src or dst) non routable;
    but if this is not always true for destination address, it is nearly never
    true for source address (ie. very few provider make egress filtering).


    >avendo accesso come root ad un server remoto, come potrei fare a rendere
    >il sistema non utilizzabile ma in modo sottile ?
    Se NT puo' installarsi via FTP, e' la tua risposta.
                    -- Leonardo Serni
    Full-Disclosure - We believe in it.

  • Next message: Valentino Squilloni - Ouz: "Re: [Full-Disclosure] Odd packet?"