From owner-freebsd-security@FreeBSD.ORG  Mon Jun  7 20:39:47 2004
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 3920516A4D0
	for <freebsd-security@freebsd.org>;
	Mon,  7 Jun 2004 20:39:47 +0000 (GMT)
Received: from rwcrmhc11.comcast.net (rwcrmhc11.comcast.net [204.127.198.35])
	by mx1.FreeBSD.org (Postfix) with ESMTP id F3D0243D48
	for <freebsd-security@freebsd.org>;
	Mon,  7 Jun 2004 20:39:46 +0000 (GMT)
	(envelope-from cristjc@comcast.net)
Received: from blossom.cjclark.org
	(c-24-6-187-112.client.comcast.net[24.6.187.112])
	by comcast.net (rwcrmhc11) with ESMTP
	id <2004060720394301300cn4nae>; Mon, 7 Jun 2004 20:39:44 +0000
Received: from blossom.cjclark.org (localhost. [127.0.0.1])
	by blossom.cjclark.org (8.12.11/8.12.8) with ESMTP id i57KdiJ5075977;
	Mon, 7 Jun 2004 13:39:44 -0700 (PDT)
	(envelope-from cristjc@comcast.net)
Received: (from cjc@localhost)
	by blossom.cjclark.org (8.12.11/8.12.11/Submit) id i57Kdhdi075976;
	Mon, 7 Jun 2004 13:39:43 -0700 (PDT)
	(envelope-from cristjc@comcast.net)
X-Authentication-Warning: blossom.cjclark.org: cjc set sender to
	cristjc@comcast.net using -f
Date: Mon, 7 Jun 2004 13:39:43 -0700
From: "Crist J. Clark" <cristjc@comcast.net>
To: Neo-Vortex <root@Neo-Vortex.Ath.Cx>
Message-ID: <20040607203943.GB75747@blossom.cjclark.org>
References: <20040529190052.25D1916A4CF@hub.freebsd.org>
	<opr87mhdtds10hlf@mv.rbr.ru> <20040607160728.A47101@Neo-Vortex.Ath.Cx>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20040607160728.A47101@Neo-Vortex.Ath.Cx>
User-Agent: Mutt/1.4.2.1i
X-URL: http://people.freebsd.org/~cjc/
cc: Michael Vlasov <mv@rbr.ru>
cc: freebsd-security@freebsd.org
Subject: Re: freebsd-security Digest, Vol 61, Issue 3
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
Reply-To: "Crist J. Clark" <cjc@freebsd.org>
List-Id: Security issues [members-only posting]
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 07 Jun 2004 20:39:47 -0000

On Mon, Jun 07, 2004 at 04:10:46PM +1000, Neo-Vortex wrote:
> On Mon, 7 Jun 2004, Michael Vlasov wrote:
> 
> > On Sat, 29 May 2004 12:00:52 -0700 (PDT),
> > <freebsd-security-request@freebsd.org> wrote:
> >
> > Hello !
> >
> > Today i see in snort logs :
> >
> > [**] [1:528:4] BAD-TRAFFIC loopback traffic [**]
> > [Classification: Potentially Bad Traffic] [Priority: 2]
> > 06/07-09:44:39.044590 127.0.0.1:80 -> 10.6.148.173:1566
> > TCP TTL:128 TOS:0x0 ID:577 IpLen:20 DgmLen:40
> > ***A*R** Seq: 0x0  Ack: 0x75830001  Win: 0x0  TcpLen: 20
> > [Xref => http://rr.sans.org/firewall/egress.php]
> >
> > [**] [1:528:4] BAD-TRAFFIC loopback traffic [**]
> > [Classification: Potentially Bad Traffic] [Priority: 2]
> > 06/07-09:44:39.075824 127.0.0.1:80 -> 10.6.249.83:1299
> > TCP TTL:128 TOS:0x0 ID:578 IpLen:20 DgmLen:40
> > ***A*R** Seq: 0x0  Ack: 0x568A0001  Win: 0x0  TcpLen: 20
> > [Xref => http://rr.sans.org/firewall/egress.php]
> >
> > [**] [1:528:4] BAD-TRAFFIC loopback traffic [**]
> > [Classification: Potentially Bad Traffic] [Priority: 2]
> > 06/07-09:44:39.107072 127.0.0.1:80 -> 10.6.96.121:1032
> > TCP TTL:128 TOS:0x0 ID:579 IpLen:20 DgmLen:40
> > ***A*R** Seq: 0x0  Ack: 0x37920001  Win: 0x0  TcpLen: 20
> > [Xref => http://rr.sans.org/firewall/egress.php]
> >
> > Why ? ;-)
> 
> Ok, that means that someone (or thing) is spoofing packets to your box
> (i know, and so does snort, that its spoofed because the source ip is
> 127.0.0.1 and its coming in on an interface apart from lo0) this is
> sometimes used as a DoS attack (its one of those fun addresses to use as
> source addresses for them), although, by the looks of it (because theres
> multiple dst-ports being used), someone is using a program like nmap to
> portscan your host using a spoofed ip

The original post is not really on topic for this list. It
is a general security incident question whereas the topic
here should be more FreeBSD specific.

That said, that traffic looks like Blaster backscatter. Early
on in Blaster, there was some ill-conceived advice to map
windowsupdate.com to 127.0.0.1 to prevent the DDoS. So what
happens is that an infected host picks a random address "near"
its own, in this case, it looks like the infected host is in
10.6.0.0/16, looks up the hostname to attack and gets 127.0.0.1.
It sends a SYN to 127.0.0.1, which is itself, but odds are it
has no HTTP server running, nothing listening on 80/tcpm so it
replies with a RST to the source... the spoofed source... with
the source of the RST being the destination of the SYN,
127.0.0.1. These RSTs are what you are seeing above.

So, if this traffic is coming from some internal 10.16.0.0/16
network, it's time to go looking for a Blaster infection. If
it is originating from the outside, not a lot you can do, but
there is nothing harmful about it unless there is enough of
this noise to eat significant resources.
-- 
Crist J. Clark                     |     cjclark@alum.mit.edu
                                   |     cjclark@jhu.edu
http://people.freebsd.org/~cjc/    |     cjc@freebsd.org