Thanks for the clarification, Crist. Those packets are long gone now, so I can't look at them anymore.
Ray
From: Crist Clark <[EMAIL PROTECTED]> Reply-To: Mailing list for discussion of Firewall-1 <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: Re: [FW-1] log entry: source localhost Date: Wed, 3 Dec 2003 09:21:38 -0800
"Ray P." wrote: > > Hi Chris, > > I don't understand how this could work as you describe. If these admins > aren't running authoritative DNS for windowsupdate.com, the only people that > would use them for lookups are their own clients.
Right, and some of their own clients are infected with Blaster. These clients then send these 127.0.0.1-sourced packets all over the Internet.
> This hit us in the first week of August, which I think is pre-Blaster.
Blaster was mid-August. That could be something else, but most of the stuff people are seeing now is probably Blaster. This has been discussed here before (IIRC) and in many other places,
http://www.securityfocus.com/archive/75/342726/2003-10-26/2003-11-01/2 http://www.security-forums.com/forum/viewtopic.php?t=8256
> My > month-old firewall had an email alert setup for spoofing and had never > peeped. One day I came in and found literally thousands of alerts for local > interface spoofing. The sheer amount was good because it enabled me to see > that the alert was occurring precisely every three hours for two minutes and > then stopping.
An interesting pattern. But it definately sounds like something is "broken" somewhere rather than someone is trying to attack you.
Do you have the ability to check what the TCP flags in the packets were? If they are RSTs, it is almost certainly Blaster or something else in the same scenario I described.
> The source definitely was from the external interface and our router people > did their magic to the Internet router to block everything with a source of > 127.0.0.1 and it immediately stopped.
Yep, that should do it. It's pretty annoying that Checkpoint hasn't come up with a feature to allow more fine grained logging within some of the "automatic" checks.
> >From: Crist Clark <[EMAIL PROTECTED]> > >Reply-To: Mailing list for discussion of Firewall-1 > ><[EMAIL PROTECTED]> > >To: [EMAIL PROTECTED] > >Subject: Re: [FW-1] log entry: source localhost > >Date: Tue, 2 Dec 2003 16:07:38 -0800 > > > >Hal Dorsman wrote: > > > > > > Blaster? Must be a variant I have not seen. I thought > > > Blaster was a RPC exploit. I am confused why it shows > > > source as localhost. I am not turning up anything with > > > any searches. You have any links? > > > >It's not the exploit, it's the DDoS portion of the worm. > >The pieces: > > > > - The Blaster DDoS spoofs the source address of the SYNs it > > aims at www.windowsupdate.com. > > > > - As a defensive measure, some DNS admins locally changed > > the A-record for windowsupdate.com to 127.0.0.1. > > > >The result, the worm sends a SYN from <some-address> to 127.0.0.1 > >on 80/tcp. But the odds are that 127.0.0.1 doesn't have anything > >listening on 80/tcp, so it sends a RST response. You are seeing > >these RSTs with a source of 127.0.0.1, source port of 80, some > >ephemeral destination port, and IP address in your range. > > > >So, the "friendly" admin who changed the A-record has accomplished > >what? Nothing. The worm infested hosts still spew junk on the network, > >but junk that is hard to filter and confusing to people like us. > >Windowsupdate.com has no A-record in global DNS which _really_ would > >foil the worm. If anyone has done this kludge, please remove. > > > > > > > Recently I've been seeing log entrys on my NG3 box > > > > > show up on my external interface with a source of > > > > > "localhost". A snoop shows source port 80 to various > > > > > IPs and ports in the 1000-2000 range. They are being > > > > > dropped by rule 0, but I do not recall ever seeing this > > > > > behavior before. Is this a spoof attempt? > > > > > > > > No. It's Blaster. > > > > -- > > > > Crist J. Clark > > > > [EMAIL PROTECTED] > > > > Globalstar Communications > > > > (408) 933-4387 > > > > > > > > > > > > > > ================================================= > > > To set vacation, Out-Of-Office, or away messages, > > > send an email to [EMAIL PROTECTED] > > > in the BODY of the email add: > > > set fw-1-mailinglist nomail > > > ================================================= > > > To unsubscribe from this mailing list, > > > please see the instructions at > > > http://www.checkpoint.com/services/mailing.html > > > ================================================= > > > If you have any questions on how to change your > > > subscription options, email > > > [EMAIL PROTECTED] > > > ================================================= > > > > > >-- > >Crist J. Clark [EMAIL PROTECTED] > >Globalstar Communications (408) 933-4387 > > > >The information contained in this e-mail message is confidential, > >intended only for the use of the individual or entity named above. > >If the reader of this e-mail is not the intended recipient, or the > >employee or agent responsible to deliver it to the intended recipient, > >you are hereby notified that any review, dissemination, distribution or > >copying of this communication is strictly prohibited. If you have > >received this e-mail in error, please contact [EMAIL PROTECTED] > > > >================================================= > >To set vacation, Out-Of-Office, or away messages, > >send an email to [EMAIL PROTECTED] > >in the BODY of the email add: > >set fw-1-mailinglist nomail > >================================================= > >To unsubscribe from this mailing list, > >please see the instructions at > >http://www.checkpoint.com/services/mailing.html > >================================================= > >If you have any questions on how to change your > >subscription options, email > >[EMAIL PROTECTED] > >================================================= > > _________________________________________________________________ > Winterize your home with tips from MSN House & Home. > http://special.msn.com/home/warmhome.armx > > ================================================= > To set vacation, Out-Of-Office, or away messages, > send an email to [EMAIL PROTECTED] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [EMAIL PROTECTED] > =================================================
-- Crist J. Clark [EMAIL PROTECTED] Globalstar Communications (408) 933-4387
The information contained in this e-mail message is confidential, intended only for the use of the individual or entity named above. If the reader of this e-mail is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this e-mail in error, please contact [EMAIL PROTECTED]
================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
_________________________________________________________________ Tired of slow downloads and busy signals? Get a high-speed Internet connection! Comparison-shop your local high-speed providers here. https://broadband.msn.com
================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
