Snort mailing list archives

Re: BAD TRAFFIC loopback traffic

From: Matt Kettler <mkettler () evi-inc com>
Date: Fri, 22 Aug 2003 13:02:45 -0400

At 04:07 PM 8/22/2003 +0530, IntegPatchMgr wrote:

am getting below message, Can any one let me know what is this mean ?

The ip address 127.0.0.1 is invalid to ever appear on the internet. It's aloopack address and more or less means "myself" to a computer.

The packet in question has a source IP address of 127.0.0.1. Thisparticular case looks like a repose from a broken webserver.

Sometimes setting the source to 127.0.0.1 is used to try to DoS a machineby confusing it into a loop with itself, but only very old implementationsof IP stacks are vulnerable to this (well before 1995, probably circa 1992or so).





-------------------------------------------------------
This SF.net email is sponsored by: VM Ware
With VMware you can run multiple operating systems on a single machine.
WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines
at the same time. Free trial click here:http://www.vmware.com/wl/offer/358/0
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

BAD TRAFFIC loopback traffic IntegPatchMgr (Aug 22)
- Re: BAD TRAFFIC loopback traffic Erek Adams (Aug 22)
- Re: BAD TRAFFIC loopback traffic Edin Dizdarevic (Aug 23)
- <Possible follow-ups>
- Re: BAD TRAFFIC loopback traffic Matt Kettler (Aug 22)
- Re: BAD TRAFFIC loopback traffic JP Vossen (Aug 27)
  - Re: BAD TRAFFIC loopback traffic Edin Dizdarevic (Aug 27)
    - Re: BAD TRAFFIC loopback traffic JP Vossen (Aug 27)