lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <Pine.LNX.4.53.0405261425050.5779@mail.duckwall.net>
From: skip at duckwall.net (Skip Duckwall)
Subject: Odd packet?

This traffic is the result of machines on the internet being infected with
Blaster.E.  This worm attempts to DOS the website of kimble.org, which
currently resolves to 127.0.0.1, whereas none of the other variants have
any targets.

What happens(similar writeups can be found from google):

The worm attempts to DOS kimble.org with a spoofed source address from a
high port.

So, the machine attempts to connect to kimble.org (127.0.0.1) on port 80.

This will usually fail (unless you happen to be running a local webserver)
causing a packet with a RST+ACK (the TCP way of the port not being there)
from localhost (127.0.0.1) on port 80 to whatever the spoofed IP address
and high port were.

So, you will get (unless egress filtering is in place) a packet from
127.0.0.1 with RST+ACK destined for a machine on your network.


Hope this clears things up for people...

Alva Lease 'Skip' Duckwall IV
CISSP, RHCE, SCSA
skip@...kwall.net


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ