[<prev] [next>] [day] [month] [year] [list]
Message-ID: <Pine.LNX.4.53.0405261425050.5779@mail.duckwall.net>
From: skip at duckwall.net (Skip Duckwall)
Subject: Odd packet?
This traffic is the result of machines on the internet being infected with
Blaster.E. This worm attempts to DOS the website of kimble.org, which
currently resolves to 127.0.0.1, whereas none of the other variants have
any targets.
What happens(similar writeups can be found from google):
The worm attempts to DOS kimble.org with a spoofed source address from a
high port.
So, the machine attempts to connect to kimble.org (127.0.0.1) on port 80.
This will usually fail (unless you happen to be running a local webserver)
causing a packet with a RST+ACK (the TCP way of the port not being there)
from localhost (127.0.0.1) on port 80 to whatever the spoofed IP address
and high port were.
So, you will get (unless egress filtering is in place) a packet from
127.0.0.1 with RST+ACK destined for a machine on your network.
Hope this clears things up for people...
Alva Lease 'Skip' Duckwall IV
CISSP, RHCE, SCSA
skip@...kwall.net
Powered by blists - more mailing lists