Snort mailing list archives
Re: Snort Abend after BAD-TRAFFIC
From: Frank Knobbe <frank () knobbe us>
Date: Sun, 21 Mar 2004 15:07:37 -0600
On Sun, 2004-03-21 at 14:39, Jason Haar wrote:
On Mon, 2004-03-22 at 07:59, Mark.Schutzmann () Omron com wrote:Mar 21 13:56:09 OEI-RHLXSnort snort: [1:528:4] BAD-TRAFFIC loopback traffic [Classification: Potentially Bad Traffic] [Priority: 2]: {TCP} 127.0.0.1:80 -> 209.176.3.124:1577Wow - that's a weird one. This is TCP traffic between a valid address and a loopback address. Unless your snort box is actually on address 209.176.3.124, that shouldn't happen.
No, that's normal traffic these days, just like Nimda, CodeRed, Slammer, Nachi and all those other bandwidth eating nasties. The Incidents, DShield and Snort-User archive have the solution, but I'll paste it below again. This seems to get asked every couple months ;) Cheers, Frank ---8<---[forwarded without permission]--->8--- From: Dan Hanson <dhanson () securityfocus com> To: incidents () securityfocus com Subject: Administrivia: Are you seeing portscans from source 127.0.0.1 source port 80? Date: Tue, 28 Oct 2003 08:59:56 -0700 (MST) I am posting this in the hopes of dulling the 5-6 messages I get every day that are reporting port scans to their network all of which have a source IP of 127.0.0.1 and source port 80. It is likely Blaster (check your favourite AV site for a writeup, I won't summarize here). The reason that people are seeing this has to do with some very bad advice that was given early in the blaster outbreak. The advice basically was that to protect the Internet from the DoS attack that was to hit windowsupdate.com, all DNS servers should return 127.0.0.1 for queries to windowsupdate.com. Essentially these suggestions were suggesting that hosts should commit suicide to protect the Internet. The problem is that the DoS routine spoofs the source address, so when windowsupdate.com resolves to 127.0.0.1 the following happens. Infected host picks address as source address and sends Syn packet to 127.0.0.1 port 80. (Sends it to itself) (This never makes it on the wire, you will not see this part) TCP/IP stack receives packet, responds with reset (if there is nothing listening on that port), sending the reset to the host with the spoofed source address (this is what people are seeing and mistaking for portscans) Result: It looks like a host is port scanning ephemeral posts using packets with source address:port of 127.0.0.1:80 Solution: track back the packets by MAC address to find hte infected machine. Turn of NS resolution of windowsupdate.com to 127.0.0.1. Hope that helps D
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- Snort Abend after BAD-TRAFFIC Mark . Schutzmann (Mar 21)
- Re: Snort Abend after BAD-TRAFFIC Jason (Mar 21)
- <Possible follow-ups>
- Re: Snort Abend after BAD-TRAFFIC Mark . Schutzmann (Mar 21)
- Re: Snort Abend after BAD-TRAFFIC Jason Haar (Mar 21)
- Re: Snort Abend after BAD-TRAFFIC Frank Knobbe (Mar 21)
- Re: Snort Abend after BAD-TRAFFIC Jason Haar (Mar 21)
- Re: Snort Abend after BAD-TRAFFIC Jason Haar (Mar 21)
- Re: Snort Abend after BAD-TRAFFIC Jason (Mar 21)
- Re: Snort Abend after BAD-TRAFFIC Steve Thompson (Mar 23)