lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
From: cslyon at netsvcs.com (Christopher Lyon)
Subject: msblast DDos counter measures (More Insight Maybe?)

> -----Original Message-----
> From: Vladimir Parkhaev [mailto:vladimir@...bas.net]
> Sent: Friday, August 15, 2003 9:18 AM
> To: Christopher Lyon
> Cc: full-disclosure@...ts.netsys.com
> Subject: Re: [Full-Disclosure] msblast DDos counter measures (More
Insight
> Maybe?)
> 
> Quoting Christopher Lyon (cslyon@...svcs.com):
> > Look at these traces to see what it is doing. Note the source and
> > destination ports and addresses.
> >
> > WINDOWSUPDATE.COM set to resolve normally
> > 19:48:23.963345 192.168.187.171.1823 > 204.79.188.11.http: S
> > 886046720:886046720(0) win 16384
> >
> > It is allowed to resolve normally and the source is just what we
think.
> > 192.168.x.x with the x's random numbers. This is what we all know
and
> > can prove.
> 
> Yeah, OK. That is a SYN packet.
> 
> 
> >
> >
> > WINDOWSUPDATE.COM set to 127.0.0.1
> > 19:39:56.131653 localhost.localdomain.http > 192.168.83.210.1269: R
> > 0:0(0) ack 68419585 win 0
> >
> > Now look at the source, the source is 127.0.0.1 and the destination
is
> > the 1921.68.x.x with the x's being random numbers. That is what I am
> > saying is different. Also note that the dst port is 80.
> 
> Yeah, OK. That is a RST packet! You are confused.
> 
> Lemme have a second go at it:
> Your box 192.168.187.171 (infected).
> You set windowsupdate.com to 127.0.0.1
> Your infected box sends SYN to itself (dst=127.0.0.1) port 80,
> and randomly selected src in 192.168.x.y range and port. You do
> not see this packet, it does not go on the wire. Next your PC
> replies with a RST packet, the one you posted
> (19:39:56.131653 localhost.localdomain.http > 192.168.83.210.1269: R)
>                                                                   ^^^
>                                                           RST packet!
> because there is webserver listening on port 80 ( if there was, you
would
> have
> seen SYN/ACK packet).
> 
> 
> 
> >
> > So, what I am saying is that the syn flood will leave the box but it
> > will leave differently then we all think. So, can someone confirm
this?
> > I have been seeing this in two different environments now.
> >
> >
> 
> Sure, I'll confirm:
> 
> Packets with src=127.0.0.1 will be droped by routers and firewalls. If
you
> screw with DNS and windowsupdate.com you will have a lot of RST
packets
> flying inside your LAN.

OK,
Sorry that I didn't see that before but I see it now. Thanks.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ