RE: Localhost packets on WAN

["spainsecurity-s.navarro" <s.navarro () spainsecurity com>]

This kind of traffic can be also the beginning of an attack to your network.
I've been seing this behavior in the past months in some networks I've been
monitoring (of my customers).
Most of the times these spoofed addresses were the beginning of DDoS attacks to
hosting providers or just large networks.
Your perimeter (firewall, router, whatever) should block these packets, but in
the case of a DDoS atack you are lost, unless you have great bandwidth or you
are monitoring carefuly to provide info to your ISP, in order to block this
traffic before reaching your firewall. ISP also should not allow traffic from a
loopback address.
Hope this can help.

-----Mensaje original-----
De: James C Slora Jr [mailto:Jim.Slora () phra com] 
Enviado el: jueves, 30 de septiembre de 2004 5:53
Para: 'Kirby Angell'; 'Incidents List'
Asunto: RE: Localhost packets on WAN

I started receiving nearly identical packets on an external interface on
September 22. Mine had a TTL of 125, but had the same trailers, localhost source
address, etc.

The target port on my network changed each time, but often repeated ports used
earlier.

These packets should not be arriving at your perimeter at all. They are not
blowback from misguided Blaster or Nachi countermeasures as someone will
undoubtedly suggest.

Others have suggested possible compromise of the upstream gateway router.
This seems plausible since ISPs typically do not configure their ACLs to allow
such traffic to be routed.

The packets stopped within an hour after I reported them to my upstream ISP.
That seems to indicate a pretty high priority issue. Consider reporting it right
away. Include the IP address of your upstream gateway if possible.