RE: Localhost packets on WAN
From: James C Slora Jr (Jim.Slora_at_phra.com)
To: "'Incidents List'" <firstname.lastname@example.org> Date: Thu, 30 Sep 2004 19:08:22 -0400
> The point the ISP chose might not be the
> only gateway between your network and every infected machine
> in the world....
Yes, this is true and something I did not adequately consider.
> You've proven only that you don't understand the "Blaster blowback"
> scenario, and that a *single* infected machine PROBABLY
> doesn't account for all of the traffic you've seen.
Unless multiple computers are all using a TTL that decrements to 125 when
they reach me, they are the same machine or the same LAN, or behind a single
proxy. And if multiple machines from disparate networks all get here with a
TTL of 125, it is not Blaster because they are crafting the TTL. Either way,
this is the only bogon traffic that has ever slipped through the upstream's
The traffic is believable for spoofed source Blaster blowback which I know
happens, but NOT for local infection Blaster blowback.
If it were not the only bogon traffic coming through and if it were not the
first time ever that bogon traffic made a sudden appearance on that network,
I would accept Blaster as a likely possibility.
> > ... what upstream device would answer a SYN to 127.0.0.1
> that did not
> > originate from its own interface?
> Almost any properly-working one, PROVIDED THAT ITS PHYSICAL
> MAC ADDRESS ON THE LOCAL LAN WAS SPECIFIED AS THE DESTINATION.
> This, of course, is only possible from within the same LAN
> segment, **and is not actually part of the "Blaster blowback"
I should have said its own LAN rather than interface - my mistake. But if
it's upstream, it's not on the same LAN segment. So it should not answer.