Security Incidents mailing list archives
RE: Localhost packets on WAN
From: "James C Slora Jr" <Jim.Slora () phra com>
Date: Wed, 29 Sep 2004 23:53:09 -0400
I started receiving nearly identical packets on an external interface on September 22. Mine had a TTL of 125, but had the same trailers, localhost source address, etc. The target port on my network changed each time, but often repeated ports used earlier. These packets should not be arriving at your perimeter at all. They are not blowback from misguided Blaster or Nachi countermeasures as someone will undoubtedly suggest. Others have suggested possible compromise of the upstream gateway router. This seems plausible since ISPs typically do not configure their ACLs to allow such traffic to be routed. The packets stopped within an hour after I reported them to my upstream ISP. That seems to indicate a pretty high priority issue. Consider reporting it right away. Include the IP address of your upstream gateway if possible.
Current thread:
- Localhost packets on WAN Kirby Angell (Sep 29)
- RE: Localhost packets on WAN James C Slora Jr (Sep 30)
- RE: Localhost packets on WAN David Gillett (Sep 30)
- RE: Localhost packets on WAN James C Slora Jr (Sep 30)
- RE: Localhost packets on WAN spainsecurity-s.navarro (Sep 30)
- RE: Localhost packets on WAN David Gillett (Sep 30)
- Re: Localhost packets on WAN Frank Knobbe (Sep 30)
- Re: Localhost packets on WAN Kirby Angell (Sep 30)
- <Possible follow-ups>
- RE: Localhost packets on WAN NESTING, DAVID M (SBCSI) (Sep 30)
- RE: Localhost packets on WAN Frank Knobbe (Sep 30)
- RE: Localhost packets on WAN James C Slora Jr (Sep 30)