Hello Chris,
How would that work, really, since even without a firewall packets returning
to 127.0.0.1 wouldn't be sent back to the hacker's computer.
I could see it being a DOS attack of some sort, since it would cause
processor interrupts on the destination host, but these packets come in so
slowly that I don't see how it would be very effective -
I think I'll stick with the Blaster theory -
Regards,
Lars Higham
-----Original Message-----
From: Mailing list for discussion of Firewall-1
[mailto:FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM] On Behalf Of
Covington,
Chris
Sent: Monday, February 23, 2004 7:17 PM
To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Subject: Re: [FW-1] Loopback address spoofing
I'm not really sure I agree with the hypothesis that "As a defensive
measure, some DNS admins locally changed the A-record for windowsupdate.com
to 127.0.0.1" and that's why you see all this traffic.
I believe that it's just hacking attempts trying to spoof the local
interface to get elevated privileges.
Chris
-----Original Message-----
From: Mailing list for discussion of Firewall-1
[mailto:FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM] On Behalf Of Crist
Clark
Sent: Monday, February 23, 2004 2:39 PM
To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Subject: Re: [FW-1] Loopback address spoofing
Mark Pays wrote:
> I can see the very same thing happening to one of my firewalls. It
looks
> like some kind of attempt to spoof the loopback address. Run a tcpdump
and
> use -e to show ethernet source and dest MAC addresses. (I used tcpdump
-n -e
> -i eth4c0 host 127.0.0.1). When I did this the packets claiming to be
from
> 127.0.0.1 are actually originating from the internet router MAC
address. I
> don't think it's of great concern as the firewall is dropping all the
> packets but I'd be interested to hear if anyone knows anymore about it
> though..
Yes. This has come up on this list many, many times.
http://msgs.securepoint.com/cgi-bin/get/fw1-0312/28/1.html
--
Crist J. Clark crist.clark AT globalstar DOT com
Globalstar Communications (408) 933-4387
=================================================
To set vacation, Out-Of-Office, or away messages, send an email to
LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
=================================================
To set vacation, Out-Of-Office, or away messages, send an email to
LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
|
