Re: [Full-Disclosure] Odd packet?
From: Valentino Squilloni - Ouz (ouz_at_people.it)
To: email@example.com Date: Wed, 26 May 2004 10:57:28 +0200 (CEST)
On Wed, 26 May 2004, Maarten wrote:
> > > Especially 127.x.x.x is not routed by any ISP which is worth their name.
> > But I've seen a lot of times those packet, especially the last year with
> > blaster and DNS servers which resolved microsoftupdate.com in 127.0.0.1 to
> > try to stop the DOS generated by blaster.
> Okay, let's analyse what you say here. Say your machine is looking for
> microsoftupdate.com. It asks a DNS server and the reply is: 127.0.0.1.
> So then your machine starts connecting with... 127.0.0.1. Whether it will
> succeed in that or not is wholly dependant on whether your local box is
> running a http server, but that is beside the point: in this scenario, at no
> point will you see 127.0.0.1 at your _outside_ interface, incoming nor
Wait a moment, you miss a point: say my machine have blaster and looks for
windowsupdate.com, and the reply is 127.0.0.1, that's` ok.
But then I forge a packet I will spoof your IP, say 18.104.22.168 (it was a DOS
to microsoftupdate, as the source IP, and 127.0.0.1:80 as the destination.
If I have a web server listening on 127.0.0.1:80 I answer SYN/ACK
If I have not the web server listening I answer RST, but anyway if I don't
have the firewall I answer, and I answer to 22.214.171.124, which is you, and so
I route it on my public interface.
So you see a packet coming from the world with 127.0.0.1 ad the source
I agree with you when you say that the providers (and maybe any router in
the internet) should stops packet with an ip (src or dst) non routable;
but if this is not always true for destination address, it is nearly never
true for source address (ie. very few provider make egress filtering).
-- >avendo accesso come root ad un server remoto, come potrei fare a rendere >il sistema non utilizzabile ma in modo sottile ? Se NT puo' installarsi via FTP, e' la tua risposta. -- Leonardo Serni _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html