Localhost packets on WAN

[Kirby Angell <kangell () alertra com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Once on the 26th and 8 times today we received packets from 127.0.0.1:80
to an ephemeral port on one of our WAN IPs.  The one on the 26th was
odd, but the ones today were very similar.  They came in pairs, usually
about 10 minutes apart for each packet in the pair.  The pairs were
about 1 hour apart.

The TTLs are all 121 which I make for a Windows box about 7 hops away.
The packets today all looked almost identical to the one at the end of
this message. The only differences are the ID field and the ephemeral
port the packet went to.  They all have the RST/ACK flags set.  I
checked a few of them, and there was no other traffic to/from that port
anywhere near the time the bogus packets came in.

I'm going to be checking in the morning to see what my firewall would do
with these sorts of packets, hopefully it is just throwing them away.
Any ideas on what this is about?  Some sort of recon, or other precursor
to something I won't like?

No.     Time                       Source                Destination
~       Protocol Info
~      4 2004-09-28 17:14:32.558443 127.0.0.1             WAN_IP
TCP      http > 1245 [RST, ACK] Seq=0 Ack=0 Win=0 Len=0

Frame 4 (60 bytes on wire, 60 bytes captured)
~    Arrival Time: Sep 28, 2004 17:14:32.558443000
~    Time delta from previous packet: 1835.696862000 seconds
~    Time since reference or first frame: 185412.560781000 seconds
~    Frame Number: 4
~    Packet Length: 60 bytes
~    Capture Length: 60 bytes
Ethernet II, Src: 00:b0:64:2f:64:c1, Dst: 00:0e:db:00:1b:15
~    Destination: 00:0e:db:00:1b:15 (Xincom_00:1b:15)
~    Source: 00:b0:64:2f:64:c1 (Cisco_2f:64:c1)
~    Type: IP (0x0800)
~    Trailer: 000000000000
Internet Protocol, Src Addr: 127.0.0.1 (127.0.0.1), Dst Addr: WAN_IP
(WAN_IP)
~    Version: 4
~    Header length: 20 bytes
~    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
~        0000 00.. = Differentiated Services Codepoint: Default (0x00)
~        .... ..0. = ECN-Capable Transport (ECT): 0
~        .... ...0 = ECN-CE: 0
~    Total Length: 40
~    Identification: 0x9d01 (40193)
~    Flags: 0x00
~        0... = Reserved bit: Not set
~        .0.. = Don't fragment: Not set
~        ..0. = More fragments: Not set
~    Fragment offset: 0
~    Time to live: 121
~    Protocol: TCP (0x06)
~    Header checksum: 0xfff1 (correct)
~    Source: 127.0.0.1 (127.0.0.1)
~    Destination: WAN_IP (WAN_IP)
Transmission Control Protocol, Src Port: http (80), Dst Port: 1245
(1245), Seq: 0, Ack: 0, Len: 0
~    Source port: http (80)
~    Destination port: 1245 (1245)
~    Sequence number: 0    (relative sequence number)
~    Acknowledgement number: 0    (relative ack number)
~    Header length: 20 bytes
~    Flags: 0x0014 (RST, ACK)
~        0... .... = Congestion Window Reduced (CWR): Not set
~        .0.. .... = ECN-Echo: Not set
~        ..0. .... = Urgent: Not set
~        ...1 .... = Acknowledgment: Set
~        .... 0... = Push: Not set
~        .... .1.. = Reset: Set
~        .... ..0. = Syn: Not set
~        .... ...0 = Fin: Not set
~    Window size: 0
~    Checksum: 0x9817 (correct)


- --
Thank you,

Kirby Angell
Get notified anytime your website goes down!
http://www.alertra.com
key: 9004F4C0
fingerprint: DD7E E88D 7F50 2A1E 229D  836A DB5B A751 9004 F4C0
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBWkok21unUZAE9MARAi3uAKCCPnuPxPpjNb8Ly7nrLGQgeSmx+gCfVnW+
jaWle8DnH+0n5ZZbtiToH5I=
=J2PH
-----END PGP SIGNATURE-----