RE: Administrivia: Are you seeing portscans from source 127.0.0.1 source port 80?
From: Dan Hanson (dhanson_at_securityfocus.com)
Date: 10/29/03
- Previous message: Jim Harrison (ISA): "RE: Administrivia: Are you seeing portscans from source 127.0.0.1 source port 80?"
- In reply to: Jim Harrison (ISA): "RE: Administrivia: Are you seeing portscans from source 127.0.0.1 source port 80?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 29 Oct 2003 12:32:47 -0700 (MST) To: "Jim Harrison (ISA)" <jmharr@microsoft.com>
From memory, the DoS routine grabs the Class B network off the machine
(255.255.0.0) and spoofs from within that, so it's not inconceivable that
it would be coming from upstream.
D
On Wed, 29 Oct 2003, Jim Harrison (ISA) wrote:
> That's an nteresting observation (and no doubt true in many cases), but
> I've also seen a collection of reports from ISA customers (big surprise,
> huh?) that have actually traced this traffic and discovered that it's
> coming from their upstream.
> Apparently their ISP is failing to apply router ACLs that any
> self-respecting network engineer would consider "basic settings".
> I have seen this in my ISA logs as well, but since it's garbage traffic
> (extremely low), I don't get too excited about it.
>
> * Jim Harrison
> MCP(NT4/2K), A+, Network+
> Security Business Unit (ISA SE)
>
> "I used to hate writing assignments, but now I enjoy them.
> I realized that the purpose of writing is to inflate weak ideas,
> obscure poor reasoning, and inhibit clarity.
> With a little practice, writing can be an intimidating and
> impenetrable fog!"
> -Calvin
>
> -----Original Message-----
> From: Dan Hanson [mailto:dhanson@securityfocus.com]
> Sent: Tuesday, October 28, 2003 08:00
> To: incidents@securityfocus.com
> Subject: Administrivia: Are you seeing portscans from source 127.0.0.1
> source port 80?
>
> I am posting this in the hopes of dulling the 5-6 messages I get every
> day
> that are reporting port scans to their network all of which have a
> source
> IP of 127.0.0.1 and source port 80.
>
> It is likely Blaster (check your favourite AV site for a writeup, I
> won't
> summarize here).
>
> The reason that people are seeing this has to do with some very bad
> advice
> that was given early in the blaster outbreak. The advice basically was
> that to protect the Internet from the DoS attack that was to hit
> windowsupdate.com, all DNS servers should return 127.0.0.1 for queries
> to
> windowsupdate.com. Essentially these suggestions were suggesting that
> hosts should commit suicide to protect the Internet.
>
> The problem is that the DoS routine spoofs the source address, so when
> windowsupdate.com resolves to 127.0.0.1 the following happens.
>
> Infected host picks address as source address and sends Syn packet to
> 127.0.0.1 port 80. (Sends it to itself) (This never makes it on the
> wire,
> you will not see this part)
>
> TCP/IP stack receives packet, responds with reset (if there is nothing
> listening on that port), sending the reset to the host with the spoofed
> source address (this is what people are seeing and mistaking for
> portscans)
>
> Result: It looks like a host is port scanning ephemeral posts using
> packets with source address:port of 127.0.0.1:80
>
> Solution: track back the packets by MAC address to find hte infected
> machine. Turn of NS resolution of windowsupdate.com to 127.0.0.1.
>
> Hope that helps
>
> D
>
> ------------------------------------------------------------------------
> ---
> Network with over 10,000 of the brightest minds in information security
> at the largest, most highly-anticipated industry event of the year.
> Don't miss RSA Conference 2004! Choose from over 200 class sessions and
> see demos from more than 250 industry vendors. If your job touches
> security, you need to be here. Learn more or register at
> http://www.securityfocus.com/sponsor/RSA_incidents_031023
> and use priority code SF4.
> ------------------------------------------------------------------------
> ----
>
>
---------------------------------------------------------------------------
Network with over 10,000 of the brightest minds in information security
at the largest, most highly-anticipated industry event of the year.
Don't miss RSA Conference 2004! Choose from over 200 class sessions and
see demos from more than 250 industry vendors. If your job touches
security, you need to be here. Learn more or register at
http://www.securityfocus.com/sponsor/RSA_incidents_031023
and use priority code SF4.
----------------------------------------------------------------------------
- Previous message: Jim Harrison (ISA): "RE: Administrivia: Are you seeing portscans from source 127.0.0.1 source port 80?"
- In reply to: Jim Harrison (ISA): "RE: Administrivia: Are you seeing portscans from source 127.0.0.1 source port 80?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
