Full Disclosure mailing list archives
Re: Odd packet?
From: Mike Klinke <mklinke () futzin com>
Date: Wed, 26 May 2004 08:29:30 -0500
On Wednesday 26 May 2004 04:05, Valentino Squilloni - Ouz wrote:
On Wed, 26 May 2004, Steffen Schumacher wrote: []However, as you said, no ISP, which has to follow rules and regulations in the western world allows spoofing of or even routing of the 127/8 net.Yes, but 127/8 as the source or the destination ? Even the OP didn't mentioned this. I'm proned to believe those packets have 127.0.0.1 as the source of the packets.
You're correct. I thought I'd sent this to the list last night but didn't watch the to: field carefully enough on my reply. I don't know the mechanism but I think I know what you were seeing. Here is an ethereal packet capture from the time. We, too, were constantly seeing our ISP controlled perimeter router sending these packets to our internal equipment. The source MAC address here is the perimeter router (Cisco 1700) and the ISP was pretty much stumped over the cause. Regards, Mike Klinke ---------- Ethereal Frame 1 (60 on wire, 60 captured) Arrival Time: Aug 18, 2003 13:48:32.919516000 Time delta from previous packet: 0.000000000 seconds Time relative to first packet: 0.000000000 seconds Frame Number: 1 Packet Length: 60 bytes Capture Length: 60 bytes Ethernet II Destination: 00:01:02:ee:21:95 (00:01:02:ee:21:95) Source: 00:06:d7:ee:3a:89 (00:06:d7:ee:3a:89) Type: IP (0x0800) Trailer: 000000000000 Internet Protocol, Src Addr: 127.0.0.1 (127.0.0.1), Dst Addr: xxx.xxx.xxx.xxx (xxx.xxx.xxx.xxx) Version: 4 Header length: 20 bytes Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00) 0000 00.. = Differentiated Services Codepoint: Default (0x00) .... ..0. = ECN-Capable Transport (ECT): 0 .... ...0 = ECN-CE: 0 Total Length: 40 Identification: 0x252b Flags: 0x00 .0.. = Don't fragment: Not set ..0. = More fragments: Not set Fragment offset: 0 Time to live: 121 Protocol: TCP (0x06) Header checksum: 0x44e2 (correct) Source: 127.0.0.1 (127.0.0.1) Destination: xxx.xxx.xxx.xxx (xxx.xxx.xxx.xxx) Transmission Control Protocol, Src Port: 80 (80), Dst Port: 1319 (1319), Seq: 0, Ack: 986251265, Len: 0 Source port: 80 (80) Destination port: 1319 (1319) Sequence number: 0 Acknowledgement number: 986251265 Header length: 20 bytes Flags: 0x0014 (RST, ACK) 0... .... = Congestion Window Reduced (CWR): Not set .0.. .... = ECN-Echo: Not set ..0. .... = Urgent: Not set ...1 .... = Acknowledgment: Set .... 0... = Push: Not set .... .1.. = Reset: Set .... ..0. = Syn: Not set .... ...0 = Fin: Not set Window size: 0 Checksum: 0x97cc (correct) _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: Odd packet?, (continued)
- Re: Odd packet? Maarten (May 25)
- Re: Odd packet? Valdis . Kletnieks (May 26)
- Re: Odd packet? Steffen Schumacher (May 26)
- Re: Odd packet? Jeff Kell (May 26)
- Re: Odd packet? Valdis . Kletnieks (May 26)
- Re: Odd packet? Steffen Schumacher (May 26)
- RE: Odd packet? Aditya, ALD [Aditya Lalit Deshmukh] (May 26)
- Re: Odd packet? Steffen Schumacher (May 27)
- Message not available
- Re: Odd packet? Valentino Squilloni - Ouz (May 26)
- Re: Odd packet? Steffen Schumacher (May 26)
- Re: Odd packet? Mike Klinke (May 26)
- Message not available
- Re: Odd packet? Valentino Squilloni - Ouz (May 27)
- Re: Odd packet? Valentino Squilloni - Ouz (May 25)
- Re: Odd packet? Maarten (May 25)
- Message not available
- Re: Odd packet? Valentino Squilloni - Ouz (May 26)
- Re: Odd packet? Gregh (May 25)