RE: Localhost packets on WAN

From: James C Slora Jr (Jim.Slora_at_phra.com)
Date: 10/01/04

  • Next message: James C Slora Jr: "RE: Localhost packets on WAN" 
    To: "'Incidents List'" <incidents@securityfocus.com>
Date: Thu, 30 Sep 2004 19:08:22 -0400

    > The point the ISP chose might not be the
    > only gateway between your network and every infected machine
    > in the world....

    Yes, this is true and something I did not adequately consider.

    > You've proven only that you don't understand the "Blaster blowback"
    > scenario, and that a *single* infected machine PROBABLY
    > doesn't account for all of the traffic you've seen.

    Unless multiple computers are all using a TTL that decrements to 125 when
    they reach me, they are the same machine or the same LAN, or behind a single
    proxy. And if multiple machines from disparate networks all get here with a
    TTL of 125, it is not Blaster because they are crafting the TTL. Either way,
    this is the only bogon traffic that has ever slipped through the upstream's
    bogon filtering.

    The traffic is believable for spoofed source Blaster blowback which I know
    happens, but NOT for local infection Blaster blowback.

    If it were not the only bogon traffic coming through and if it were not the
    first time ever that bogon traffic made a sudden appearance on that network,
    I would accept Blaster as a likely possibility.

    > > ... what upstream device would answer a SYN to 127.0.0.1
    > that did not
    > > originate from its own interface?
    >
    > Almost any properly-working one, PROVIDED THAT ITS PHYSICAL
    > MAC ADDRESS ON THE LOCAL LAN WAS SPECIFIED AS THE DESTINATION.
    > This, of course, is only possible from within the same LAN
    > segment, **and is not actually part of the "Blaster blowback"
    > hypothesis**.

    I should have said its own LAN rather than interface - my mistake. But if
    it's upstream, it's not on the same LAN segment. So it should not answer.

  • Next message: James C Slora Jr: "RE: Localhost packets on WAN"

    Relevant Pages

    • Re: Loss of Connectivity on Only One PC on a LAN
      ... When you ran the Network Setup Wizard, ... The original setup of the LAN was done entirely by the user of the other PC on that LAN in July. ... I use a LAN connection which consists of two PCs each connected to a Linksys BEFSR 41 Router. ...
      (microsoft.public.windowsxp.network_web)
    • Re: TCPIP - Ping tool
      ... Strangely enough the answer was under your nose all along, namely PING. ... If your "internal network" corresponds to a Local Area Network (LAN), ... assume the subnet address for your LAN is 192.168.10.0 and the subnet mask ...
      (bit.listserv.ibm-main)
    • Re: Firewall and DMZ topology
      ... attacker cannot spread his influence across the network. ... If the DMZ resides between the public Internet and the ... Should the DMZ be behind the LAN and not split off at the firewall, ... > The Gartner Group just put Neoteris in the top of its Magic Quadrant, ...
      (Security-Basics)
    • Re: Installing multiple SBS VPN clients
      ... please check the Local area network routing only. ... reachable from the remote access server. ... Check to ensure the SBS Server is using a static IP address on its LAN ... Microsoft CSS Online Newsgroup Support ...
      (microsoft.public.windows.server.sbs)
    • RE: Hellllllloooooo...is anyone there? WAS: RE: Mysterious problem: cant backtrack an unwise router
      ... > I have a small home network which ran wonderfully for several ... The home LAN is all on static IPs: ... > MS Remote Desktop from my XP workstation to connect to my ... > same router on my home LAN and disabling the RH 7.0 box as ...
      (RedHat)