Full Disclosure mailing list archives
Re: msblast DDos counter measures (More Insight Maybe?)
From: Vladimir Parkhaev <vladimir () arobas net>
Date: Fri, 15 Aug 2003 08:05:25 -0400
Quoting B3r3n (B3r3n () argosnet com):
Christopher,So, the machine is coming back up and the date was set after the 16th and what do I see, I see a SYN flood but the source is 127.0.0.1 and the destination is 192.168.X.X/16. (I am using 192.168.252.100 so the X's are the random numbers)A question: does 192.168.x.x/16 reflects the configuration of the infected machine, or maybe a subnet of its configuration?
I don't see the problem... The PC in question is on 192.168.x.0 nw with address 192.168.x.y. According to the worm analysis, it msblaster picks random src IP addresses limited to first 2 octets of infected PCs nw - anything between 192.168.0.0-192.168.255.255 (or 192.168.255.254). The OP points windowsupdate.com to 127.0.0.1. The worm starts generting packets dst 127.0.0.1 src in 192.168.0.0-192.168.255.255. Since PC is not runing web server, OS sends a RST to the dst in 192.168.0.0-192.168.255.255 (basic TCP). More SYN packets are generated, more RST packets you get on your class B n/w. Conclusion - pointing windowsupdate.com to 127.0.0.1 replaces SYN attack of windowsupdate.com by RST attack on your class B. Solution - patch the freaking PCs! _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- RE: msblast DDos counter measures (More Insight Maybe?) Christopher Lyon (Aug 15)
- RE: msblast DDos counter measures (More Insight Maybe?) B3r3n (Aug 15)
- Re: msblast DDos counter measures (More Insight Maybe?) Vladimir Parkhaev (Aug 15)
- Re: msblast DDos counter measures (More Insight Maybe?) Chris Garrett (Aug 15)
- msblast DDos counter measures - a new worm to fix the problem Daniel Rudolph (Aug 15)
- Re: msblast DDos counter measures - a new worm to fix the problem Paul Schmehl (Aug 15)
- Re: msblast DDos counter measures - a new worm to fix the problem Ron DuFresne (Aug 15)
- msblast DDos counter measures - a new worm to fix the problem Daniel Rudolph (Aug 15)
- RE: msblast DDos counter measures (More Insight Maybe?) B3r3n (Aug 15)
- <Possible follow-ups>
- RE: msblast DDos counter measures (More Insight Maybe?) Christopher Lyon (Aug 15)
- Re: msblast DDos counter measures (More Insight Maybe?) Vladimir Parkhaev (Aug 15)
- RE: msblast DDos counter measures (More Insight Maybe?) Christopher Lyon (Aug 15)
- Re: msblast DDos counter measures (More Insight Maybe?) Vladimir Parkhaev (Aug 15)