lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20030815120525.GA15787@arobas.net>
From: vladimir at arobas.net (Vladimir Parkhaev)
Subject: msblast DDos counter measures (More Insight Maybe?)

Quoting B3r3n (B3r3n@...osnet.com):
> Christopher,
> 
> > So, the machine is coming back up and the date was set after the 16th
> > and what do I see, I see a SYN flood but the source is 127.0.0.1 and the
> > destination is 192.168.X.X/16. (I am using 192.168.252.100 so the X's
> > are the random numbers)
> A question: does 192.168.x.x/16 reflects the configuration of the infected 
> machine, or maybe a subnet of its configuration?

I don't see the problem... The PC in question is on 192.168.x.0 nw
with address 192.168.x.y. According to the worm analysis, it msblaster
picks random src IP addresses limited to first 2 octets of infected 
PCs nw - anything between 192.168.0.0-192.168.255.255 (or 192.168.255.254).

The OP points windowsupdate.com to 127.0.0.1. The worm starts generting
packets dst 127.0.0.1 src in 192.168.0.0-192.168.255.255. Since PC
is not runing web server, OS sends a RST to the dst in 
192.168.0.0-192.168.255.255 (basic TCP). More SYN packets are generated,
more RST packets you get on your class B n/w.
Conclusion - pointing  windowsupdate.com to 127.0.0.1 replaces SYN attack of
windowsupdate.com by RST attack on your class B. 
Solution - patch the freaking PCs!

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ