NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Incidents> 2004-08

Re: Is this some type of scan

From: Frank Knobbe (frankknobbe.us)
Date: Thu Aug 05 2004 - 11:58:08 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, 2004-08-04 at 09:45, Aaron Lewis wrote:
> I don't think this is right but I don't know what to make of it. One of my
> ACL's denies this 4 - 6 times a day an hour apart for 4 or so hours then it
> stops until the next day.
>
> Aug 4 10:17:54 myhostname 3272392: Aug 4 10:17:53.949 EST:
> %SEC-6-IPACCESSLOGP: list inboundACLname denied tcp 127.0.0.1(80)
> (Ethernet0/1 000b.bf55.4c70) -> my.public.ip.x(1515), 1 packet
> Aug 4 10:18:10 myhostname 3272394: Aug 4 10:18:10.621 EST:
> %SEC-6-IPACCESSLOGP: list inboundACLname denied tcp 127.0.0.1(80)
> (Ethernet0/1 000b.bf55.4c70) -> my.public.ip.x(1011), 1 packet

May I pass on a message from the archives?

           From:
Dan Hanson
<dhansonsecurityfocus.com>
             To:
incidentssecurityfocus.com
        Subject:
Administrivia: Are
you seeing
portscans from
source 127.0.0.1
source port 80?
           Date:
Tue, 28 Oct 2003
08:59:56 -0700
(MST)

I am posting this in the hopes of dulling the 5-6 messages I get every
day
that are reporting port scans to their network all of which have a
source
IP of 127.0.0.1 and source port 80.

It is likely Blaster (check your favourite AV site for a writeup, I
won't
summarize here).

The reason that people are seeing this has to do with some very bad
advice
that was given early in the blaster outbreak. The advice basically was
that to protect the Internet from the DoS attack that was to hit
windowsupdate.com, all DNS servers should return 127.0.0.1 for queries
to
windowsupdate.com. Essentially these suggestions were suggesting that
hosts should commit suicide to protect the Internet.

The problem is that the DoS routine spoofs the source address, so when
windowsupdate.com resolves to 127.0.0.1 the following happens.

Infected host picks address as source address and sends Syn packet to
127.0.0.1 port 80. (Sends it to itself) (This never makes it on the
wire,
you will not see this part)

TCP/IP stack receives packet, responds with reset (if there is nothing
listening on that port), sending the reset to the host with the spoofed
source address (this is what people are seeing and mistaking for
portscans)

Result: It looks like a host is port scanning ephemeral posts using
packets with source address:port of 127.0.0.1:80

Solution: track back the packets by MAC address to find hte infected
machine. Turn of NS resolution of windowsupdate.com to 127.0.0.1.

Hope that helps

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (FreeBSD)

iD8DBQBBEmcgJjGc5ftAw8wRAldLAJ9jpmRYDRPQT2g27oDb4z8r2LC1XACg2Y2X
Nsg97Sax2sBl1JA5P+onRK0=
=AXnw
-----END PGP SIGNATURE-----

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]