Hal Dorsman wrote:
>
> Blaster? Must be a variant I have not seen. I thought
> Blaster was a RPC exploit. I am confused why it shows
> source as localhost. I am not turning up anything with
> any searches. You have any links?
It's not the exploit, it's the DDoS portion of the worm.
The pieces:
- The Blaster DDoS spoofs the source address of the SYNs it
aims at www.windowsupdate.com.
- As a defensive measure, some DNS admins locally changed
the A-record for windowsupdate.com to 127.0.0.1.
The result, the worm sends a SYN from <some-address> to 127.0.0.1
on 80/tcp. But the odds are that 127.0.0.1 doesn't have anything
listening on 80/tcp, so it sends a RST response. You are seeing
these RSTs with a source of 127.0.0.1, source port of 80, some
ephemeral destination port, and IP address in your range.
So, the "friendly" admin who changed the A-record has accomplished
what? Nothing. The worm infested hosts still spew junk on the network,
but junk that is hard to filter and confusing to people like us.
Windowsupdate.com has no A-record in global DNS which _really_ would
foil the worm. If anyone has done this kludge, please remove.
> > > Recently I've been seeing log entrys on my NG3 box
> > > show up on my external interface with a source of
> > > "localhost". A snoop shows source port 80 to various
> > > IPs and ports in the 1000-2000 range. They are being
> > > dropped by rule 0, but I do not recall ever seeing this
> > > behavior before. Is this a spoof attempt?
> >
> > No. It's Blaster.
> > --
> > Crist J. Clark
> > [EMAIL PROTECTED]
> > Globalstar Communications
> > (408) 933-4387
> >
> >
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to [EMAIL PROTECTED]
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> [EMAIL PROTECTED]
> =================================================
--
Crist J. Clark [EMAIL PROTECTED]
Globalstar Communications (408) 933-4387
The information contained in this e-mail message is confidential,
intended only for the use of the individual or entity named above.
If the reader of this e-mail is not the intended recipient, or the
employee or agent responsible to deliver it to the intended recipient,
you are hereby notified that any review, dissemination, distribution or
copying of this communication is strictly prohibited. If you have
received this e-mail in error, please contact [EMAIL PROTECTED]
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
