Security Incidents mailing list archives

RE: Localhost packets on WAN

From: Frank Knobbe <frank () knobbe us>
Date: Thu, 30 Sep 2004 16:39:30 -0500

On Thu, 2004-09-30 at 10:00, NESTING, DAVID M (SBCSI) wrote:

Frequently, when the source port is 80 and the destination port is
"ephemeral", I find problems like this are usually caused by buggy or
misconfigured load balancers in front of a web site.  Some load
balancers get your packet to the physical server by doing tricks with
the network stack.


Good thought, could be. But this is easy to test. Just run tcpdump and
sniff for those source IP and ephemeral ports (guess a range in advance
is all is NATed to one IP). If you do see those leaving your network to
some web site, then your theory applies. But if you don't see any such
packets originating from your network, then these incoming packets are
responses to spoofed packets. "Hanson's Blaster Theorem" applies :)   

(Of course it could be just someone sending crafted packets your way to
keep you busy chasing a ghost.... make sure you don't have a security
assessment or penetration test scheduled on your premises when those
Internet flukes appear :)

Cheers,
Frank

Attachment: signature.asc
Description: This is a digitally signed message part

Current thread:

Localhost packets on WAN Kirby Angell (Sep 29)
- RE: Localhost packets on WAN James C Slora Jr (Sep 30)
  - RE: Localhost packets on WAN David Gillett (Sep 30)
    - RE: Localhost packets on WAN James C Slora Jr (Sep 30)
  - RE: Localhost packets on WAN spainsecurity-s.navarro (Sep 30)
- Re: Localhost packets on WAN Frank Knobbe (Sep 30)
  - Re: Localhost packets on WAN Kirby Angell (Sep 30)
- <Possible follow-ups>
- RE: Localhost packets on WAN NESTING, DAVID M (SBCSI) (Sep 30)
  - RE: Localhost packets on WAN Frank Knobbe (Sep 30)