Security Incidents mailing list archives
RE: Localhost packets on WAN
From: "spainsecurity-s.navarro" <s.navarro () spainsecurity com>
Date: Thu, 30 Sep 2004 21:09:09 +0200
This kind of traffic can be also the beginning of an attack to your network. I've been seing this behavior in the past months in some networks I've been monitoring (of my customers). Most of the times these spoofed addresses were the beginning of DDoS attacks to hosting providers or just large networks. Your perimeter (firewall, router, whatever) should block these packets, but in the case of a DDoS atack you are lost, unless you have great bandwidth or you are monitoring carefuly to provide info to your ISP, in order to block this traffic before reaching your firewall. ISP also should not allow traffic from a loopback address. Hope this can help. -----Mensaje original----- De: James C Slora Jr [mailto:Jim.Slora () phra com] Enviado el: jueves, 30 de septiembre de 2004 5:53 Para: 'Kirby Angell'; 'Incidents List' Asunto: RE: Localhost packets on WAN I started receiving nearly identical packets on an external interface on September 22. Mine had a TTL of 125, but had the same trailers, localhost source address, etc. The target port on my network changed each time, but often repeated ports used earlier. These packets should not be arriving at your perimeter at all. They are not blowback from misguided Blaster or Nachi countermeasures as someone will undoubtedly suggest. Others have suggested possible compromise of the upstream gateway router. This seems plausible since ISPs typically do not configure their ACLs to allow such traffic to be routed. The packets stopped within an hour after I reported them to my upstream ISP. That seems to indicate a pretty high priority issue. Consider reporting it right away. Include the IP address of your upstream gateway if possible.
Current thread:
- Localhost packets on WAN Kirby Angell (Sep 29)
- RE: Localhost packets on WAN James C Slora Jr (Sep 30)
- RE: Localhost packets on WAN David Gillett (Sep 30)
- RE: Localhost packets on WAN James C Slora Jr (Sep 30)
- RE: Localhost packets on WAN spainsecurity-s.navarro (Sep 30)
- RE: Localhost packets on WAN David Gillett (Sep 30)
- Re: Localhost packets on WAN Frank Knobbe (Sep 30)
- Re: Localhost packets on WAN Kirby Angell (Sep 30)
- <Possible follow-ups>
- RE: Localhost packets on WAN NESTING, DAVID M (SBCSI) (Sep 30)
- RE: Localhost packets on WAN Frank Knobbe (Sep 30)
- RE: Localhost packets on WAN James C Slora Jr (Sep 30)