Security Incidents mailing list archives
RE: Localhost packets on WAN
From: "James C Slora Jr" <Jim.Slora () phra com>
Date: Thu, 30 Sep 2004 19:08:22 -0400
The point the ISP chose might not be the only gateway between your network and every infected machine in the world....
Yes, this is true and something I did not adequately consider.
You've proven only that you don't understand the "Blaster blowback" scenario, and that a *single* infected machine PROBABLY doesn't account for all of the traffic you've seen.
Unless multiple computers are all using a TTL that decrements to 125 when they reach me, they are the same machine or the same LAN, or behind a single proxy. And if multiple machines from disparate networks all get here with a TTL of 125, it is not Blaster because they are crafting the TTL. Either way, this is the only bogon traffic that has ever slipped through the upstream's bogon filtering. The traffic is believable for spoofed source Blaster blowback which I know happens, but NOT for local infection Blaster blowback. If it were not the only bogon traffic coming through and if it were not the first time ever that bogon traffic made a sudden appearance on that network, I would accept Blaster as a likely possibility.
... what upstream device would answer a SYN to 127.0.0.1that did notoriginate from its own interface?Almost any properly-working one, PROVIDED THAT ITS PHYSICAL MAC ADDRESS ON THE LOCAL LAN WAS SPECIFIED AS THE DESTINATION. This, of course, is only possible from within the same LAN segment, **and is not actually part of the "Blaster blowback" hypothesis**.
I should have said its own LAN rather than interface - my mistake. But if it's upstream, it's not on the same LAN segment. So it should not answer.
Current thread:
- Re: Localhost packets on WAN Kirby Angell (Sep 30)
- <Possible follow-ups>
- RE: Localhost packets on WAN David Gillett (Sep 30)
- RE: Localhost packets on WAN James C Slora Jr (Oct 04)
- RE: Localhost packets on WAN James C Slora Jr (Oct 04)