RE: Localhost packets on WAN

From: David Gillett (gillettdavid_at_fhda.edu)
Date: 10/01/04

  • Next message: James C Slora Jr: "RE: Localhost packets on WAN"
    To: "'James C Slora Jr'" <Jim.Slora@phra.com>, "'Incidents List'" <incidents@securityfocus.com>
    Date: Thu, 30 Sep 2004 15:23:10 -0700
    
    

    > Blaster blowback is directed at the machine that generated
    > the traffic, and
    > occurs on the LAN of the infected host. If some miracle of
    > misconfiguration
    > guided a 127.0.0.1-destined packet out the gateway onto the upstream
    > network, what upstream device would answer a SYN to 127.0.0.1
    > that did not
    > originate from its own interface?

      WRONG! (But see further down, below the "--".)

      Blaster blowback is directed to the spoofed addresses generated
    randomly by the blaster virus code, and traverses whatever networks
    it needs to to get from the infected machine to those addresses.
      The 127.0.0.1-destined traffic never traverses *any* network; it
    occurs completely within the infected host. The infected host is
    answering SYNs that its own DoS code generated to its own loopback
    interface. It's sending the *answers* out an interface, toward
    the sources that were spoofed on the SYNs. [It's true, a "bulletproof"
    implementation of the stack COULD reject anything for a 127.*.*.*
    address that didn't originate from one ON THIS MACHINE, but only if
    the stack implementers were willing to commingle layer 2 and layer 3
    info to detect this special case. It's no surprise that real-world
    stacks don't bother.]

    > The source MAC address said the traffic was coming from my
    > upstream's Cisco
    > router. One day after my upstream stopped the traffic at my
    > request, it has
    > reappeared. More reason for suspicion, and Blaster still
    > doesn't explain it.

      The source address of any outside-originated traffic will be
    that of the gateway that last handled it. The infected machine
    is outside your network; it is possible to block this traffic
    at a gateway somewhere between the infected machine and your
    network. The point the ISP chose might not be the only gateway
    between your network and every infected machine in the world....

    > I don't know what it is. But it is simple to prove what it is
    > *not* with the evidence already provided.

      You've proven only that you don't understand the "Blaster blowback"
    scenario, and that a *single* infected machine PROBABLY doesn't account
    for all of the traffic you've seen.

    --
    > ... what upstream device would answer a SYN to 127.0.0.1 
    > that did not originate from its own interface?
      Almost any properly-working one, PROVIDED THAT ITS PHYSICAL
    MAC ADDRESS ON THE LOCAL LAN WAS SPECIFIED AS THE DESTINATION.
    This, of course, is only possible from within the same LAN segment,
    **and is not actually part of the "Blaster blowback" hypothesis**.
    (See above; the SYNs in this hypothesis DO originate from its own
    interface.)  But the fact that you ask this question suggests that 
    your understanding of the operation of the network stack may not
    be any more solid than your understanding of the hypothesis itself.
    David Gillett
    > -----Original Message-----
    > From: James C Slora Jr [mailto:Jim.Slora@phra.com]
    > Sent: Thursday, September 30, 2004 10:32 AM
    > To: 'Incidents List'
    > Subject: RE: Localhost packets on WAN
    > 
    > 
    > >   Please offer some *plausible* alternate explanation.  The 
    > > Blaster blowback precisely explains every detail of traffic 
    > > like this that I have seen directly or heard reported by 
    > > others.  Do you possess some additional evidence that 
    > > contradicts it?  Do you have a simpler explanation that 
    > > adequately explains the evidence?
    > 
    > David Nesting listed some plausible scenarios.
    > 
    > I don't know what it is. But it is simple to prove what it is 
    > *not* with the
    > evidence already provided.
    > 
    > Blaster blowback is directed at the machine that generated 
    > the traffic, and
    > occurs on the LAN of the infected host. If some miracle of 
    > misconfiguration
    > guided a 127.0.0.1-destined packet out the gateway onto the upstream
    > network, what upstream device would answer a SYN to 127.0.0.1 
    > that did not
    > originate from its own interface?
    > 
    > The simplest explanation often tends to be correct, but not 
    > when the facts
    > clearly contradict it.
    > 
    > On my own traffic, I have additional evidence that it is not Blaster
    > blowback.
    > 
    > The source MAC address said the traffic was coming from my 
    > upstream's Cisco
    > router. One day after my upstream stopped the traffic at my 
    > request, it has
    > reappeared. More reason for suspicion, and Blaster still 
    > doesn't explain it.
    > 
    > I took great pains to make absolutely sure there was no local 
    > stimulus at
    > all - I only answered ARPs and otherwise kept silent while 
    > sniffing. Sure
    > enough the 127.0.0.1 traffic was completely unsolicited. 
    > David's scenarios
    > could apply if someone else was spoofing my address or NATing 
    > traffic to me.
    > But again, that is speculation - there is not enough data to 
    > prove what it
    > is, and the proof is all upstream of my network so I will not 
    > have access to
    > it. 
    > 
    > If you want plausible speculation, I'd say someone might have 
    > compromised
    > the upstream router, changed ACLs and set up NATing to hide 
    > the source of
    > hostile probes from some other compromised machines downstream of the
    > router. Odd repetitions in the target ports of the traffic 
    > could indicate
    > something more complex.
    > 
    

  • Next message: James C Slora Jr: "RE: Localhost packets on WAN"