[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [Full-Disclosure] msblast DDos counter measures (More Insight Maybe?)

To: "Vladimir Parkhaev" <vladimir@arobas.net>
Subject: RE: [Full-Disclosure] msblast DDos counter measures (More Insight Maybe?)
From: "Christopher Lyon" <cslyon@netsvcs.com>
Date: Fri, 15 Aug 2003 10:37:30 -0700

> -----Original Message-----
> From: Vladimir Parkhaev [mailto:vladimir@arobas.net]
> Sent: Friday, August 15, 2003 9:18 AM
> To: Christopher Lyon
> Cc: full-disclosure@lists.netsys.com
> Subject: Re: [Full-Disclosure] msblast DDos counter measures (More
Insight
> Maybe?)
> 
> Quoting Christopher Lyon (cslyon@netsvcs.com):
> > Look at these traces to see what it is doing. Note the source and
> > destination ports and addresses.
> >
> > WINDOWSUPDATE.COM set to resolve normally
> > 19:48:23.963345 192.168.187.171.1823 > 204.79.188.11.http: S
> > 886046720:886046720(0) win 16384
> >
> > It is allowed to resolve normally and the source is just what we
think.
> > 192.168.x.x with the x's random numbers. This is what we all know
and
> > can prove.
> 
> Yeah, OK. That is a SYN packet.
> 
> 
> >
> >
> > WINDOWSUPDATE.COM set to 127.0.0.1
> > 19:39:56.131653 localhost.localdomain.http > 192.168.83.210.1269: R
> > 0:0(0) ack 68419585 win 0
> >
> > Now look at the source, the source is 127.0.0.1 and the destination
is
> > the 1921.68.x.x with the x's being random numbers. That is what I am
> > saying is different. Also note that the dst port is 80.
> 
> Yeah, OK. That is a RST packet! You are confused.
> 
> Lemme have a second go at it:
> Your box 192.168.187.171 (infected).
> You set windowsupdate.com to 127.0.0.1
> Your infected box sends SYN to itself (dst=127.0.0.1) port 80,
> and randomly selected src in 192.168.x.y range and port. You do
> not see this packet, it does not go on the wire. Next your PC
> replies with a RST packet, the one you posted
> (19:39:56.131653 localhost.localdomain.http > 192.168.83.210.1269: R)
>                                                                   ^^^
>                                                           RST packet!
> because there is webserver listening on port 80 ( if there was, you
would
> have
> seen SYN/ACK packet).
> 
> 
> 
> >
> > So, what I am saying is that the syn flood will leave the box but it
> > will leave differently then we all think. So, can someone confirm
this?
> > I have been seeing this in two different environments now.
> >
> >
> 
> Sure, I'll confirm:
> 
> Packets with src=127.0.0.1 will be droped by routers and firewalls. If
you
> screw with DNS and windowsupdate.com you will have a lot of RST
packets
> flying inside your LAN.

OK,
Sorry that I didn't see that before but I see it now. Thanks.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Follow-Ups:
- Re: [Full-Disclosure] msblast DDos counter measures (More Insight Maybe?)
  - From: Vladimir Parkhaev <vladimir@arobas.net>

Prev by Date: RE: [Full-Disclosure] The MSBlast Conspiracy Theory
Next by Date: [Full-Disclosure] The Grid, Blaster v. Poor Security Engineering
Prev by thread: Re: [Full-Disclosure] msblast DDos counter measures (More Insight Maybe?)
Next by thread: Re: [Full-Disclosure] msblast DDos counter measures (More Insight Maybe?)
Index(es):
- Date
- Thread