Security Incidents mailing list archives
Re: Spooky traffic from a loopback address?
From: gabriel rosenkoetter <gr () eclipsed net>
Date: Thu, 13 Jun 2002 00:46:26 -0400
On Tue, Jun 11, 2002 at 07:43:53AM +0800, Clinton Smith wrote:
I have begun to see sparse connections of the following nature: 127.0.0.2:HIGHPORT --> 192.168.0.1:80 (SYN) 3 or 4 at a time coming from an internet gateway.
Guess this justifies these two IPF rules, which I'd been figuring were just my rampant paranoia: block in log quick on mc0 from 127.0.0.0/8 to any block in log quick on mc0 from any to 127.0.0.0/8
I have read the following: http://online.securityfocus.com/archive/1/166648
Then you know what the problem is.
Q Has anyone seen this type of packet or am I just seeing badly configured network devices?
Would have to know more, but this feels a whole lot like someone trying to exploit the condition you reference. What OS are you using? What version? Have you tried using tcpdump and friends to trace the real source of these packets? -- gabriel rosenkoetter gr () eclipsed net
Attachment:
_bin
Description:
Current thread:
- Spooky traffic from a loopback address? Clinton Smith (Jun 11)
- Re: Spooky traffic from a loopback address? gabriel rosenkoetter (Jun 13)