This is probably a Blaster-infected machine with an incorrect date, or
just rebooted, trying it's DOS against windowsupdate.com. The ISP
probably added a DNS entry pointing windowsupdate.com to 127.0.0.1.
Blaster sends a packet to 127.0.0.1:80 with a spoofed source address
within the local address range. Since there is not a web server on that
box, it responds to the spoofed addresses/ports with a RST packet.
If the ISP had not tried to be "helpful" by adding a DNS entry, Blaster
would be unable to resolve the address, and would skip the DOS routine.
Jerry
-----Original Message-----
From: Chris Boyd [mailto:cboyd (at) gizmopartners (dot) com [email concealed]]
Sent: Tuesday, August 26, 2003 10:31 AM
To: incidents (at) securityfocus (dot) com [email concealed]
Subject: Odd worm traffic?
Just after midnight local time, one my IDS boxes that monitors a small
residential broadband network lit up with a bunch of traffic using
spoofed source IP of 127.0.0.1, source port 80, destination IPs all
over the /16, dest ports all in the range of 1002-1992.
Googling for a pattern like this doesn't turn up much, and no exact
match. Anyone else seen similar?
---
Attend Black Hat Briefings & Training Federal, September 29-30
(Training),
October 1-2 (Briefings) in Tysons Corner, VA; the world's premier
technical IT security event. Modeled after the famous Black Hat event
in
Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.
Symantec is the Diamond sponsor. Early-bird registration ends September
6.Visit us: www.blackhat.com
------------------------------------------------------------------------
----
Confidentiality Notice: This e-mail message, including any attachments,
is for the sole use of the intended recipient(s) and may contain
confidential and privileged information. Any unauthorized review, use,
disclosure or distribution is prohibited. If you are not the intended
recipient, please contact the sender by reply e-mail and destroy all
copies of the original message.
------------------------------------------------------------------------
---
Attend Black Hat Briefings & Training Federal, September 29-30 (Training),
October 1-2 (Briefings) in Tysons Corner, VA; the world's premier
technical IT security event. Modeled after the famous Black Hat event in
Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.
Symantec is the Diamond sponsor. Early-bird registration ends September 6.Visit us: www.blackhat.com
------------------------------------------------------------------------
----
This is probably a Blaster-infected machine with an incorrect date, or
just rebooted, trying it's DOS against windowsupdate.com. The ISP
probably added a DNS entry pointing windowsupdate.com to 127.0.0.1.
Blaster sends a packet to 127.0.0.1:80 with a spoofed source address
within the local address range. Since there is not a web server on that
box, it responds to the spoofed addresses/ports with a RST packet.
If the ISP had not tried to be "helpful" by adding a DNS entry, Blaster
would be unable to resolve the address, and would skip the DOS routine.
Jerry
-----Original Message-----
From: Chris Boyd [mailto:cboyd (at) gizmopartners (dot) com [email concealed]]
Sent: Tuesday, August 26, 2003 10:31 AM
To: incidents (at) securityfocus (dot) com [email concealed]
Subject: Odd worm traffic?
Just after midnight local time, one my IDS boxes that monitors a small
residential broadband network lit up with a bunch of traffic using
spoofed source IP of 127.0.0.1, source port 80, destination IPs all
over the /16, dest ports all in the range of 1002-1992.
Googling for a pattern like this doesn't turn up much, and no exact
match. Anyone else seen similar?
--Chris
------------------------------------------------------------------------
---
Attend Black Hat Briefings & Training Federal, September 29-30
(Training),
October 1-2 (Briefings) in Tysons Corner, VA; the world's premier
technical IT security event. Modeled after the famous Black Hat event
in
Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.
Symantec is the Diamond sponsor. Early-bird registration ends September
6.Visit us: www.blackhat.com
------------------------------------------------------------------------
----
Confidentiality Notice: This e-mail message, including any attachments,
is for the sole use of the intended recipient(s) and may contain
confidential and privileged information. Any unauthorized review, use,
disclosure or distribution is prohibited. If you are not the intended
recipient, please contact the sender by reply e-mail and destroy all
copies of the original message.
------------------------------------------------------------------------
---
Attend Black Hat Briefings & Training Federal, September 29-30 (Training),
October 1-2 (Briefings) in Tysons Corner, VA; the world's premier
technical IT security event. Modeled after the famous Black Hat event in
Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.
Symantec is the Diamond sponsor. Early-bird registration ends September 6.Visit us: www.blackhat.com
------------------------------------------------------------------------
----
[ reply ]