RE: Odd worm traffic?

• Previous message: Meritt James: "Re: towards a taxonomy of Information Assurance (IA)"
• Maybe in reply to: Chris Boyd: "Odd worm traffic?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Tue, 26 Aug 2003 14:42:56 -0500
To: "Chris Boyd" <cboyd@gizmopartners.com>, <incidents@securityfocus.com>

This is probably a Blaster-infected machine with an incorrect date, or
just rebooted, trying it's DOS against windowsupdate.com. The ISP
probably added a DNS entry pointing windowsupdate.com to 127.0.0.1.
Blaster sends a packet to 127.0.0.1:80 with a spoofed source address
within the local address range. Since there is not a web server on that
box, it responds to the spoofed addresses/ports with a RST packet.

If the ISP had not tried to be "helpful" by adding a DNS entry, Blaster
would be unable to resolve the address, and would skip the DOS routine.

Jerry

-----Original Message-----
From: Chris Boyd [mailto:cboyd@gizmopartners.com]
Sent: Tuesday, August 26, 2003 10:31 AM
To: incidents@securityfocus.com
Subject: Odd worm traffic?

Just after midnight local time, one my IDS boxes that monitors a small
residential broadband network lit up with a bunch of traffic using
spoofed source IP of 127.0.0.1, source port 80, destination IPs all
over the /16, dest ports all in the range of 1002-1992.

Googling for a pattern like this doesn't turn up much, and no exact
match. Anyone else seen similar?

--Chris

------------------------------------------------------------------------

---
Attend Black Hat Briefings & Training Federal, September 29-30
(Training), 
October 1-2 (Briefings) in Tysons Corner, VA; the world's premier 
technical IT security event.  Modeled after the famous Black Hat event
in 
Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.  
Symantec is the Diamond sponsor.  Early-bird registration ends September
6.Visit us: www.blackhat.com
------------------------------------------------------------------------
----
Confidentiality Notice: This e-mail message, including any attachments,
is for the sole use of the intended recipient(s) and may contain
confidential and privileged information.  Any unauthorized review, use,
disclosure or distribution is prohibited.  If you are not the intended
recipient, please contact the sender by reply e-mail and destroy all
copies of the original message.
---------------------------------------------------------------------------
Attend Black Hat Briefings & Training Federal, September 29-30 (Training), 
October 1-2 (Briefings) in Tysons Corner, VA; the world's premier 
technical IT security event.  Modeled after the famous Black Hat event in 
Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.  
Symantec is the Diamond sponsor.  Early-bird registration ends September 6.Visit us: www.blackhat.com
----------------------------------------------------------------------------

• Previous message: Meritt James: "Re: towards a taxonomy of Information Assurance (IA)"
• Maybe in reply to: Chris Boyd: "Odd worm traffic?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]