InformAction Forums

NoScripters and WebSec nerds of all lands, unite!
https://forums.informaction.com/

Doing a reverse lookup, and trying to hit port 80.

https://forums.informaction.com/viewtopic.php?t=21346

Page 1 of 1

Doing a reverse lookup, and trying to hit port 80.

Posted: Mon Oct 19, 2015 6:00 pm
by mdelaney
Today, my IT department came to me and mentioned that my system was "slamming" our router with requests to port 80.

It seems that NoScript is doing an IP lookup, getting my works external address, and then trying to hit that address on port 80. Our firewall saw the constant "probe" as an potential attack. While sniffing the network traffic we we a almost constant stream of the following (hostnames redacted)

Code: Select all

13:38:02.119255 IP worklaptop.somedomain.org.49800 > firewall.somedomain.org.http: Flags [S], seq 2269594051, win 65535, options [mss 1460,nop,wscale 5,nop,nop,TS val 2301657432 ecr 0,sackOK,eol], length 0
13:38:02.369828 IP worklaptop.somedomain.org.49802 > firewall.somedomain.org.http: Flags [S], seq 2584067680, win 65535, options [mss 1460,nop,wscale 5,nop,nop,TS val 2301657677 ecr 0,sackOK,eol], length 0
13:38:03.136822 IP worklaptop.somedomain.org.49800 > firewall.somedomain.org.http: Flags [S], seq 2269594051, win 65535, options [mss 1460,nop,wscale 5,nop,nop,TS val 2301658432 ecr 0,sackOK,eol], length 0
13:38:03.382051 IP worklaptop.somedomain.org.49802 > firewall.somedomain.org.http: Flags [S], seq 2584067680, win 65535, options [mss 1460,nop,wscale 5,nop,nop,TS val 2301658677 ecr 0,sackOK,eol], length 0
13:38:04.146678 IP worklaptop.somedomain.org.49800 > firewall.somedomain.org.http: Flags [S], seq 2269594051, win 65535, options [mss 1460,nop,wscale 5,nop,nop,TS val 2301659432 ecr 0,sackOK,eol], length 0
13:38:04.396091 IP worklaptop.somedomain.org.49802 > firewall.somedomain.org.http: Flags [S], seq 2584067680, win 65535, options [mss 1460,nop,wscale 5,nop,nop,TS val 2301659678 ecr 0,sackOK,eol], length 0
13:38:05.150361 IP worklaptop.somedomain.org.49800 > firewall.somedomain.org.http: Flags [S], seq 2269594051, win 65535, options [mss 1460,nop,wscale 5,nop,nop,TS val 2301660432 ecr 0,sackOK,eol], length 0
13:38:05.396445 IP worklaptop.somedomain.org.49802 > firewall.somedomain.org.http: Flags [S], seq 2584067680, win 65535, options [mss 1460,nop,wscale 5,nop,nop,TS val 2301660678 ecr 0,sackOK,eol], length 0
13:38:06.150767 IP worklaptop.somedomain.org.49800 > firewall.somedomain.org.http: Flags [S], seq 2269594051, win 65535, options [mss 1460,nop,wscale 5,nop,nop,TS val 2301661432 ecr 0,sackOK,eol], length 0
13:38:06.399382 IP worklaptop.somedomain.org.49802 > firewall.somedomain.org.http: Flags [S], seq 2584067680, win 65535, options [mss 1460,nop,wscale 5,nop,nop,TS val 2301661678 ecr 0,sackOK,eol], length 0
13:38:07.169206 IP worklaptop.somedomain.org.49800 > firewall.somedomain.org.http: Flags [S], seq 2269594051, win 65535, options [mss 1460,nop,wscale 5,nop,nop,TS val 2301662432 ecr 0,sackOK,eol], length 0
13:38:07.416529 IP worklaptop.somedomain.org.49802 > firewall.somedomain.org.http: Flags [S], seq 2584067680, win 65535, options [mss 1460,nop,wscale 5,nop,nop,TS val 2301662678 ecr 0,sackOK,eol], length 0
13:38:09.181120 IP worklaptop.somedomain.org.49800 > firewall.somedomain.org.http: Flags [S], seq 2269594051, win 65535, options [mss 1460,nop,wscale 5,nop,nop,TS val 2301664432 ecr 0,sackOK,eol], length 0
13:38:09.428206 IP worklaptop.somedomain.org.49802 > firewall.somedomain.org.http: Flags [S], seq 2584067680, win 65535, options [mss 1460,nop,wscale 5,nop,nop,TS val 2301664678 ecr 0,sackOK,eol], length 0
13:38:13.211271 IP worklaptop.somedomain.org.49800 > firewall.somedomain.org.http: Flags [S], seq 2269594051, win 65535, options [mss 1460,nop,wscale 5,nop,nop,TS val 2301668432 ecr 0,sackOK,eol], length 0
13:38:13.461085 IP worklaptop.somedomain.org.49802 > firewall.somedomain.org.http: Flags [S], seq 2584067680, win 65535, options [mss 1460,nop,wscale 5,nop,nop,TS val 2301668678 ecr 0,sackOK,eol], length 0
13:38:21.267142 IP worklaptop.somedomain.org.49800 > firewall.somedomain.org.http: Flags [S], seq 2269594051, win 65535, options [mss 1460,nop,wscale 5,nop,nop,TS val 2301676432 ecr 0,sackOK,eol], length 0
13:38:21.513184 IP worklaptop.somedomain.org.49802 > firewall.somedomain.org.http: Flags [S], seq 2584067680, win 65535, options [mss 1460,nop,wscale 5,nop,nop,TS val 2301676678 ecr 0,sackOK,eol], length 0
13:38:37.305489 IP worklaptop.somedomain.org.49800 > firewall.somedomain.org.http: Flags [S], seq 2269594051, win 65535, options [mss 1460,nop,wscale 5,nop,nop,TS val 2301692432 ecr 0,sackOK,eol], length 0
13:38:37.553514 IP worklaptop.somedomain.org.49802 > firewall.somedomain.org.http: Flags [S], seq 2584067680, win 65535, options [mss 1460,nop,wscale 5,nop,nop,TS val 2301692678 ecr 0,sackOK,eol], length 0
13:39:09.399634 IP worklaptop.somedomain.org.49800 > firewall.somedomain.org.http: Flags [S], seq 2269594051, win 65535, options [mss 1460,sackOK,eol], length 0
13:39:09.645775 IP worklaptop.somedomain.org.49802 > firewall.somedomain.org.http: Flags [S], seq 2584067680, win 65535, options [mss 1460,sackOK,eol], length 0
13:39:17.671870 IP worklaptop.somedomain.org.49841 > firewall.somedomain.org.http: Flags [S], seq 3384371286, win 65535, options [mss 1460,nop,wscale 5,nop,nop,TS val 2301732677 ecr 0,sackOK,eol], length 0

Re: Doing a reverse lookup, and trying to hit port 80.

Posted: Mon Oct 19, 2015 6:20 pm
by barbaz
It's due to NoScript fingerprinting the WAN IP so that it can protect it better. You can stop this behavior by un-checking the "WAN IP ∈ LOCAL" checkbox in NoScript Options > Advanced > ABE, but note that doing so will mean that the router's public interface will not be protected.

The point of this feature is to prevent websites tampering with routers that expose their admin controls or the like on their public interface. You might consider to point your IT department to this thread, because only they will know A) what their router exposes on its public interface (if anything) and B) whether they care if malicious web pages mess with that stuff.

Let us know, thanks.

Re: Doing a reverse lookup, and trying to hit port 80.

Posted: Mon Oct 19, 2015 6:28 pm
by mdelaney
Awesome. That fixed it. Thanks barbaz

Re: Doing a reverse lookup, and trying to hit port 80.

Posted: Mon Oct 19, 2015 7:33 pm
by barbaz
You're welcome

Re: Doing a reverse lookup, and trying to hit port 80.

Posted: Mon Oct 19, 2015 10:50 pm
by Thrawn
I'm not sure why NoScript would actually be contacting that address, though. It should just be resolving it.

Re: Doing a reverse lookup, and trying to hit port 80.

Posted: Mon Oct 19, 2015 11:04 pm
by barbaz
No, this is normal and expected behavior. It contacts it to fingerprint it to help protect it better, among other things it uses the fingerprint to help check if the WAN IP has changed. https://hackademix.net/2010/07/28/abe-p ... r-routers/ (& comment 9)
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited