lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <Pine.LNX.4.58.0405261042040.6973@damun.fork.ouz>
From: ouz at people.it (Valentino Squilloni - Ouz)
Subject: Odd packet?

On Wed, 26 May 2004, Maarten wrote:

[]
> > > Especially 127.x.x.x is not routed by any ISP which is worth their name.
> >
> > But I've seen a lot of times those packet, especially the last year with
> > blaster and DNS servers which resolved microsoftupdate.com in 127.0.0.1 to
> > try to stop the DOS generated by blaster.
>
> Okay, let's analyse what you say here. Say your machine is looking for
> microsoftupdate.com. It asks a DNS server and the reply is: 127.0.0.1.
> So then your machine starts connecting with... 127.0.0.1. Whether it will
> succeed in that or not is wholly dependant on whether your local box is
> running a http server, but that is beside the point: in this scenario, at no
> point will you see 127.0.0.1 at your _outside_ interface, incoming nor
> outgoing...

Wait a moment, you miss a point: say my machine have blaster and looks for
windowsupdate.com, and the reply is 127.0.0.1, that's` ok.

But then I forge a packet I will spoof your IP, say 1.2.3.4 (it was a DOS
to microsoftupdate, as the source IP, and 127.0.0.1:80 as the destination.

If I have a web server listening on 127.0.0.1:80 I answer SYN/ACK
If I have not the web server listening I answer RST, but anyway if I don't
have the firewall I answer, and I answer to 1.2.3.4, which is you, and so
I route it on my public interface.

So you see a packet coming from the world with 127.0.0.1 ad the source
address.

I agree with you when you say that the providers (and maybe any router in
the internet) should stops packet with an ip (src or dst) non routable;
but if this is not always true for destination address, it is nearly never
true for source address (ie. very few provider make egress filtering).

Ouz

-- 
>avendo accesso come root ad un server remoto, come potrei fare a rendere
>il sistema non utilizzabile ma in modo sottile ?
Se NT puo' installarsi via FTP, e' la tua risposta.
                -- Leonardo Serni


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ