Re: Spooky traffic from a loopback address?

[gabriel rosenkoetter <gr () eclipsed net>]

On Tue, Jun 11, 2002 at 07:43:53AM +0800, Clinton Smith wrote:
> I have begun to see sparse connections of the following nature:
> 127.0.0.2:HIGHPORT --> 192.168.0.1:80 (SYN)
> 3 or 4 at a time coming from an internet gateway.

Guess this justifies these two IPF rules, which I'd been figuring
were just my rampant paranoia:

block in log quick on mc0 from 127.0.0.0/8 to any
block in log quick on mc0 from any to 127.0.0.0/8

> I have read the following:
> http://online.securityfocus.com/archive/1/166648

Then you know what the problem is.

> Q Has anyone seen this type of packet or am I just seeing
> badly configured network devices?

Would have to know more, but this feels a whole lot like someone
trying to exploit the condition you reference.

What OS are you using? What version? Have you tried using tcpdump
and friends to trace the real source of these packets?

-- 
gabriel rosenkoetter
gr () eclipsed net

Attachment: _bin
Description: