I don't understand how this could work as you describe. If these admins aren't running authoritative DNS for windowsupdate.com, the only people that would use them for lookups are their own clients.
This hit us in the first week of August, which I think is pre-Blaster. My month-old firewall had an email alert setup for spoofing and had never peeped. One day I came in and found literally thousands of alerts for local interface spoofing. The sheer amount was good because it enabled me to see that the alert was occurring precisely every three hours for two minutes and then stopping.
The source definitely was from the external interface and our router people did their magic to the Internet router to block everything with a source of 127.0.0.1 and it immediately stopped.
Ray
From: Crist Clark <[EMAIL PROTECTED]> Reply-To: Mailing list for discussion of Firewall-1 <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: Re: [FW-1] log entry: source localhost Date: Tue, 2 Dec 2003 16:07:38 -0800
Hal Dorsman wrote: > > Blaster? Must be a variant I have not seen. I thought > Blaster was a RPC exploit. I am confused why it shows > source as localhost. I am not turning up anything with > any searches. You have any links?
It's not the exploit, it's the DDoS portion of the worm. The pieces:
- The Blaster DDoS spoofs the source address of the SYNs it aims at www.windowsupdate.com.
- As a defensive measure, some DNS admins locally changed the A-record for windowsupdate.com to 127.0.0.1.
The result, the worm sends a SYN from <some-address> to 127.0.0.1 on 80/tcp. But the odds are that 127.0.0.1 doesn't have anything listening on 80/tcp, so it sends a RST response. You are seeing these RSTs with a source of 127.0.0.1, source port of 80, some ephemeral destination port, and IP address in your range.
So, the "friendly" admin who changed the A-record has accomplished what? Nothing. The worm infested hosts still spew junk on the network, but junk that is hard to filter and confusing to people like us. Windowsupdate.com has no A-record in global DNS which _really_ would foil the worm. If anyone has done this kludge, please remove.
> > > Recently I've been seeing log entrys on my NG3 box > > > show up on my external interface with a source of > > > "localhost". A snoop shows source port 80 to various > > > IPs and ports in the 1000-2000 range. They are being > > > dropped by rule 0, but I do not recall ever seeing this > > > behavior before. Is this a spoof attempt? > > > > No. It's Blaster. > > -- > > Crist J. Clark > > [EMAIL PROTECTED] > > Globalstar Communications > > (408) 933-4387 > > > > > > ================================================= > To set vacation, Out-Of-Office, or away messages, > send an email to [EMAIL PROTECTED] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [EMAIL PROTECTED] > =================================================
-- Crist J. Clark [EMAIL PROTECTED] Globalstar Communications (408) 933-4387
The information contained in this e-mail message is confidential, intended only for the use of the individual or entity named above. If the reader of this e-mail is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this e-mail in error, please contact [EMAIL PROTECTED]
================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
_________________________________________________________________ Winterize your home with tips from MSN House & Home. http://special.msn.com/home/warmhome.armx
================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
