Quoting B3r3n ([EMAIL PROTECTED]): > Christopher, > > > So, the machine is coming back up and the date was set after the 16th > > and what do I see, I see a SYN flood but the source is 127.0.0.1 and the > > destination is 192.168.X.X/16. (I am using 192.168.252.100 so the X's > > are the random numbers) > A question: does 192.168.x.x/16 reflects the configuration of the infected > machine, or maybe a subnet of its configuration?
I don't see the problem... The PC in question is on 192.168.x.0 nw with address 192.168.x.y. According to the worm analysis, it msblaster picks random src IP addresses limited to first 2 octets of infected PCs nw - anything between 192.168.0.0-192.168.255.255 (or 192.168.255.254). The OP points windowsupdate.com to 127.0.0.1. The worm starts generting packets dst 127.0.0.1 src in 192.168.0.0-192.168.255.255. Since PC is not runing web server, OS sends a RST to the dst in 192.168.0.0-192.168.255.255 (basic TCP). More SYN packets are generated, more RST packets you get on your class B n/w. Conclusion - pointing windowsupdate.com to 127.0.0.1 replaces SYN attack of windowsupdate.com by RST attack on your class B. Solution - patch the freaking PCs! _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
