[Snort-users] Re: Bad Loopback Traffic

bclark at ...10956... bclark at ...10956...
Wed Feb 25 10:26:07 EST 2004


My new comments below:

> The best summary of an explanation I have seen is attached below (From
> Dan of the Incidents list).
>
> Regards,
> Frank
>
> ---8<---
>
> -----Forwarded Message-----=20
> From: Dan Hanson <dhanson at ...35...>
> To: incidents at ...35...
> Subject: Administrivia: Are you seeing portscans from source 127.0.0.1
> source port 80?
> Date: Tue, 28 Oct 2003 08:59:56 -0700
>
> I am posting this in the hopes of dulling the 5-6 messages I get every
> day
> that are reporting port scans to their network all of which have a
> source
> IP of 127.0.0.1 and source port 80.
>
> It is likely Blaster (check your favourite AV site for a writeup, I
> won't
> summarize here).
>
> The reason that people are seeing this has to do with some very bad
> advice
> that was given early in the blaster outbreak. The advice basically was
> that to protect the Internet from the DoS attack that was to hit
> windowsupdate.com, all DNS servers should return 127.0.0.1 for queries
> to
> windowsupdate.com. Essentially these suggestions were suggesting that
> hosts should commit suicide to protect the Internet.
>
> The problem is that the DoS routine spoofs the source address, so when
> windowsupdate.com resolves to 127.0.0.1 the following happens.
>
> Infected host picks address as source address and sends Syn packet to
> 127.0.0.1 port 80. (Sends it to itself) (This never makes it on the
> wire,
> you will not see this part)
>
> TCP/IP stack receives packet, responds with reset (if there is nothing
> listening on that port), sending the reset to the host with the spoofed
> source address (this is what people are seeing and mistaking for
> portscans)
>
> Result: It looks like a host is port scanning ephemeral posts using
> packets with source address:port of 127.0.0.1:80
>
> Solution: track back the packets by MAC address to find hte infected
> machine. Turn of NS resolution of windowsupdate.com to 127.0.0.1.
>
> Hope that helps
>
> D

Not sure that is it because the destination is port 80 not local host, but
I do see the packet have a FIN flag. Most of the time the destinations are
within the Class A that my class C belong too.

Brian






More information about the Snort-users mailing list