On Wed, 26 May 2004, Maarten wrote:
[]
> > > Especially 127.x.x.x is not routed by any ISP which is worth their name.
> >
> > But I've seen a lot of times those packet, especially the last year with
> > blaster and DNS servers which resolved microsoftupdate.com in 127.0.0.1 to
> > try to stop the DOS generated by blaster.
>
> Okay, let's analyse what you say here. Say your machine is looking for
> microsoftupdate.com. It asks a DNS server and the reply is: 127.0.0.1.
> So then your machine starts connecting with... 127.0.0.1. Whether it will
> succeed in that or not is wholly dependant on whether your local box is
> running a http server, but that is beside the point: in this scenario, at no
> point will you see 127.0.0.1 at your _outside_ interface, incoming nor
> outgoing...
Wait a moment, you miss a point: say my machine have blaster and looks for
windowsupdate.com, and the reply is 127.0.0.1, that's` ok.
But then I forge a packet I will spoof your IP, say 1.2.3.4 (it was a DOS
to microsoftupdate, as the source IP, and 127.0.0.1:80 as the destination.
If I have a web server listening on 127.0.0.1:80 I answer SYN/ACK
If I have not the web server listening I answer RST, but anyway if I don't
have the firewall I answer, and I answer to 1.2.3.4, which is you, and so
I route it on my public interface.
So you see a packet coming from the world with 127.0.0.1 ad the source
address.
I agree with you when you say that the providers (and maybe any router in
the internet) should stops packet with an ip (src or dst) non routable;
but if this is not always true for destination address, it is nearly never
true for source address (ie. very few provider make egress filtering).
Ouz
--
>avendo accesso come root ad un server remoto, come potrei fare a rendere
>il sistema non utilizzabile ma in modo sottile ?
Se NT puo' installarsi via FTP, e' la tua risposta.
-- Leonardo Serni
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
