> -----Original Message----- > From: Vladimir Parkhaev [mailto:[EMAIL PROTECTED] > Sent: Friday, August 15, 2003 9:18 AM > To: Christopher Lyon > Cc: [EMAIL PROTECTED] > Subject: Re: [Full-Disclosure] msblast DDos counter measures (More Insight > Maybe?) > > Quoting Christopher Lyon ([EMAIL PROTECTED]): > > Look at these traces to see what it is doing. Note the source and > > destination ports and addresses. > > > > WINDOWSUPDATE.COM set to resolve normally > > 19:48:23.963345 192.168.187.171.1823 > 204.79.188.11.http: S > > 886046720:886046720(0) win 16384 > > > > It is allowed to resolve normally and the source is just what we think. > > 192.168.x.x with the x's random numbers. This is what we all know and > > can prove. > > Yeah, OK. That is a SYN packet. > > > > > > > > WINDOWSUPDATE.COM set to 127.0.0.1 > > 19:39:56.131653 localhost.localdomain.http > 192.168.83.210.1269: R > > 0:0(0) ack 68419585 win 0 > > > > Now look at the source, the source is 127.0.0.1 and the destination is > > the 1921.68.x.x with the x's being random numbers. That is what I am > > saying is different. Also note that the dst port is 80. > > Yeah, OK. That is a RST packet! You are confused. > > Lemme have a second go at it: > Your box 192.168.187.171 (infected). > You set windowsupdate.com to 127.0.0.1 > Your infected box sends SYN to itself (dst=127.0.0.1) port 80, > and randomly selected src in 192.168.x.y range and port. You do > not see this packet, it does not go on the wire. Next your PC > replies with a RST packet, the one you posted > (19:39:56.131653 localhost.localdomain.http > 192.168.83.210.1269: R) > ^^^ > RST packet! > because there is webserver listening on port 80 ( if there was, you would > have > seen SYN/ACK packet). > > > > > > > So, what I am saying is that the syn flood will leave the box but it > > will leave differently then we all think. So, can someone confirm this? > > I have been seeing this in two different environments now. > > > > > > Sure, I'll confirm: > > Packets with src=127.0.0.1 will be droped by routers and firewalls. If you > screw with DNS and windowsupdate.com you will have a lot of RST packets > flying inside your LAN.
OK, Sorry that I didn't see that before but I see it now. Thanks. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
