|
-
November 20th, 2003, 10:57 AM
#11
D'oh. Right.
Could be timeout from existing/previous connections and the firewall is closing it (don't think so but doing random thoughts on this one). Do the sequence numbers match for existing connections?
-
November 20th, 2003, 11:42 AM
#12
[isp router]------*----[firewall]------[webservers]
I'm sniffing the connection marked with a *.
The firewall will only allow connections on port 80 to the webservers. The webservers aren't able to communicate with the outside world. If there's something going out the firewall with an address of 127.0.0.1 I would have sniffed it.
But please keep stabbing, you might hit something I overlooked 
As Arthur Conan-Doyle said: "if you've eliminated all the possibilities, whatever is left, however improbable, must be the answer."
Oliver's Law:
Experience is something you don't get until just after you need it.
-
November 20th, 2003, 05:54 PM
#13
Junior Member
It look like blind scanning.
By using this kind of packet, some firewall may be fooled. The only part puzzle me, is how the scanner can get the information back. Maybe a second, legal, packet is sent to know if the sequence number bumped.
-
November 20th, 2003, 06:00 PM
#14
Forn: That's a darned unreliable form of scanning. The theory is based on an idle host scan where the host really is idle. On a busy network you aren't going to get any viable data by checking the sequence number because anyone or anything could have bumped it in the meantime.
Don\'t SYN us.... We\'ll SYN you..... 
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides
-
November 23rd, 2003, 07:57 PM
#15
Senior Member
I've been getting port scans from 127.0.0.1 as well. During the last half hour the scans have gone from port 1088, 1355, 1530 to 1517. Approximately an hour earlier the "Attack Type" showed an RST Attack from 127.0.0.1 in my Outpost log.
If anyone else has any further information regarding this subject, I'd appreciate hearing about it. Thanks so much.
V.
All truths are easy to understand once they are discovered; the point is to discover them. What lies behind us and what lies before us are tiny matters compared to what lies within us.
-
November 24th, 2003, 12:47 AM
#16
Hey SirDice, I've just started reading Hacking: Art of Exploitation and noticed in the networking chapter a section on "RST Hijacking".
Source from Hacking: The Art of Exploitation, page 157
A very simple form of TCP/IP hijacking involves injecting an authentic-looking reset (RST) packet. If the source is spoofed and the acknowledgement number is correct, the receiving side will believe that the source actually sent the rest packet and reset the connection
Again a wild stab but could it be someone attempting something like this? It's suggested that someone could use tcpdump, awk and packet creation tool like nemisis for this.
-
November 24th, 2003, 04:02 PM
#17
You may have a point here MsMittens  Does the destination port this RST get send to matter?
ISP is being a jurk and doesn't want to help. They say it could come from anywhere. They're not even going to trace it 
I also did some more background checking. I found this article that talks about a loopback and multi-homed routing flaw in the TCP/IP stack. That pointed me to RFC-1122 section 3.2.1.3 which states:
(g) { 127, <any> }
Internal host loopback address. Addresses of this form
MUST NOT appear outside a host.
This would mean that the 'side effect of Blaster' explanation cannot be true unless the windows tcp/ip stack is flawed.
Oliver's Law:
Experience is something you don't get until just after you need it.
-
November 24th, 2003, 05:54 PM
#18
Which wouldn't be the first time the TCP/IP Stack in Windows was flawed. Just because the address must not come from outside doesn't mean that the packet wouldn't be alterted. Changing the Source address is relatively easy (check the post I did in Addicts about netsed). I suspect that all TCP/IP stacks are flawed in that they acknowledge packets that physically coming from outside as being local (hence the reason that your firewall should defend against this).
As for the ISP I think it's more a matter of "we don't know enough, don't have the resources nor have we kept records" kind of thing. But that's my opinion.
-
December 9th, 2003, 03:42 AM
#19
Junior Member
the first thing that came to mind...
when i read the message, i immediately thought of nmap's idlescan fuction. http://www.insecure.org/nmap/idlescan.html check the egreess filtering under idlescan challenges. It kinda of makes sense to do it this way, ecspesially if you are a .inc, since an admin might contact the spoofed ip, tell the admin of the spoofed ip what to look for, etc. hrmmm..... I wonder if it would be possible to code it so that more than one host can be used as a zombie to cover tracks even further.
-
December 9th, 2003, 02:57 PM
#20
The idle scan only seems to work if you spoof an actual existing address. I don't see the use in using 127.0.0.1 as a source with an idle scan. It may be part of a decoy though or as MsMittens noted an attempt to kill existing connections by guessing the sequence numbers.
Oliver's Law:
Experience is something you don't get until just after you need it.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
Reply With Quote