[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-Disclosure] msblast DDos counter measures (More Insight Maybe?)
- Subject: Re: [Full-Disclosure] msblast DDos counter measures (More Insight Maybe?)
- From: Vladimir Parkhaev <vladimir@arobas.net>
- Date: Fri, 15 Aug 2003 08:05:25 -0400
Quoting B3r3n (B3r3n@argosnet.com):
> Christopher,
>
> > So, the machine is coming back up and the date was set after the 16th
> > and what do I see, I see a SYN flood but the source is 127.0.0.1 and the
> > destination is 192.168.X.X/16. (I am using 192.168.252.100 so the X's
> > are the random numbers)
> A question: does 192.168.x.x/16 reflects the configuration of the infected
> machine, or maybe a subnet of its configuration?
I don't see the problem... The PC in question is on 192.168.x.0 nw
with address 192.168.x.y. According to the worm analysis, it msblaster
picks random src IP addresses limited to first 2 octets of infected
PCs nw - anything between 192.168.0.0-192.168.255.255 (or 192.168.255.254).
The OP points windowsupdate.com to 127.0.0.1. The worm starts generting
packets dst 127.0.0.1 src in 192.168.0.0-192.168.255.255. Since PC
is not runing web server, OS sends a RST to the dst in
192.168.0.0-192.168.255.255 (basic TCP). More SYN packets are generated,
more RST packets you get on your class B n/w.
Conclusion - pointing windowsupdate.com to 127.0.0.1 replaces SYN attack of
windowsupdate.com by RST attack on your class B.
Solution - patch the freaking PCs!
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html