Firewall-1
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [FW-1] Loopback address spoofing

from Crist Clark [Permanent Link]
Subject: Re: [FW-1] Loopback address spoofing
From: Crist Clark <crist.clark AT GLOBALSTAR DOT COM>
To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Date: Tue, 24 Feb 2004 11:11:19 -0800 
Covington, Chris wrote:

I'm not really sure I agree with the hypothesis that "As a defensive
measure, some DNS admins locally changed the A-record for
windowsupdate.com to 127.0.0.1" and that's why you see all this traffic.

I believe that it's just hacking attempts trying to spoof the local
interface to get elevated privileges.


Did you look closely at the traffic? Are these all TCP RST segments
with a source port of 80?

Do you have an evidence to support the position that these are "hacking
attempts?" What might this traffic be trying to exploit? That is, how
would sending TCP RST packets with a source of 127.0.0.1 accomplish
anything for an attacker? Any TCP implementation that is not wildly
insane and non-standard compliant is going to drop RSTs it knows nothing
about on the floor very early in processing.

Basically what I am saying is that the hypothesis that this is reflected
worm traffic seems to explain this stuff very well. What evidence do
you have that makes your conjecture, some type of active attack, a
better explination?

If you want to work on a real mystery, how about those spoofed TCP SYNs
with the 55808 windows that showed up all of a sudden a few months ago?


-----Original Message-----
From: Mailing list for discussion of Firewall-1
[mailto:FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM] On Behalf Of Crist
Clark
Sent: Monday, February 23, 2004 2:39 PM
To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Subject: Re: [FW-1] Loopback address spoofing

Mark Pays wrote:



I can see the very same thing happening to one of my firewalls. It


looks


like some kind of attempt to spoof the loopback address. Run a tcpdump


and


use -e to show ethernet source and dest MAC addresses. (I used tcpdump


-n -e


-i eth4c0 host 127.0.0.1). When I did this the packets claiming to be


from


127.0.0.1 are actually originating from the internet router MAC


address. I


don't think it's of great concern as the firewall is dropping all the
packets but I'd be interested to hear if anyone knows anymore about it
though..



Yes. This has come up on this list many, many times.

   http://msgs.securepoint.com/cgi-bin/get/fw1-0312/28/1.html

--
Crist J. Clark                               crist.clark AT globalstar DOT com
Globalstar Communications                                (408) 933-4387


--
Crist J. Clark                               crist.clark AT globalstar DOT com
Globalstar Communications                                (408) 933-4387

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [FW-1] Loopback address spoofing, Goldoff, Erik
Next by Date:  Re: [FW-1] Loopback address spoofing, Lars Higham
Previous by Thread:  Re: [FW-1] Loopback address spoofing, Covington, Chris
Next by Thread:  Re: [FW-1] Loopback address spoofing, Lars Higham
Indexes:  [Date] [Thread] [Top] [All Lists]