Re: [Full-Disclosure] Odd packet?

From: Valentino Squilloni - Ouz (ouz_at_people.it)
Date: 05/26/04

  • Next message: Valentino Squilloni - Ouz: "Re: [Full-Disclosure] Odd packet?"
    To: full-disclosure@lists.netsys.com
    Date: Wed, 26 May 2004 10:57:28 +0200 (CEST)
    
    

    On Wed, 26 May 2004, Maarten wrote:

    []
    > > > Especially 127.x.x.x is not routed by any ISP which is worth their name.
    > >
    > > But I've seen a lot of times those packet, especially the last year with
    > > blaster and DNS servers which resolved microsoftupdate.com in 127.0.0.1 to
    > > try to stop the DOS generated by blaster.
    >
    > Okay, let's analyse what you say here. Say your machine is looking for
    > microsoftupdate.com. It asks a DNS server and the reply is: 127.0.0.1.
    > So then your machine starts connecting with... 127.0.0.1. Whether it will
    > succeed in that or not is wholly dependant on whether your local box is
    > running a http server, but that is beside the point: in this scenario, at no
    > point will you see 127.0.0.1 at your _outside_ interface, incoming nor
    > outgoing...

    Wait a moment, you miss a point: say my machine have blaster and looks for
    windowsupdate.com, and the reply is 127.0.0.1, that's` ok.

    But then I forge a packet I will spoof your IP, say 1.2.3.4 (it was a DOS
    to microsoftupdate, as the source IP, and 127.0.0.1:80 as the destination.

    If I have a web server listening on 127.0.0.1:80 I answer SYN/ACK
    If I have not the web server listening I answer RST, but anyway if I don't
    have the firewall I answer, and I answer to 1.2.3.4, which is you, and so
    I route it on my public interface.

    So you see a packet coming from the world with 127.0.0.1 ad the source
    address.

    I agree with you when you say that the providers (and maybe any router in
    the internet) should stops packet with an ip (src or dst) non routable;
    but if this is not always true for destination address, it is nearly never
    true for source address (ie. very few provider make egress filtering).

    Ouz

    -- 
    >avendo accesso come root ad un server remoto, come potrei fare a rendere
    >il sistema non utilizzabile ma in modo sottile ?
    Se NT puo' installarsi via FTP, e' la tua risposta.
                    -- Leonardo Serni
    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html
    

  • Next message: Valentino Squilloni - Ouz: "Re: [Full-Disclosure] Odd packet?"