Snort mailing list archives

Re: Slightly OT: Anyone else seeing TCP traffic from 127.0.0.1:80?

From: Bier_und_Schnaps () gmx de
Date: Wed, 3 Sep 2003 14:19:00 +0200 (MEST)

Hi,

this behaviour could stem from the measure of some companies to disarm the
Blaster.A DDOS attack. They modified theit DNS Servers to resolve
windowsupdate.com to 127.0.0.1. By doing that, the requests of infected clients to DDOS
windowsupdate.com weren't routed over the network. But as a result of that
measure, RST ACK pakets with SRC 127.0.0.1:80 to <RandomIP> occurred, as most of
the infected clients didn't have a webserver listening on 127.0.0.1:80 and
therefore the connection was declined.
Maybe that explains the odd pakets you recognize.

Regards Joachim


-- 
COMPUTERBILD 15/03: Premium-e-mail-Dienste im Test
--------------------------------------------------
1. GMX TopMail - Platz 1 und Testsieger!
2. GMX ProMail - Platz 2 und Preis-Qualitätssieger!
3. Arcor - 4. web.de - 5. T-Online - 6. freenet.de - 7. daybyday - 8. e-Post



-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Slightly OT: Anyone else seeing TCP traffic from 127.0.0.1:80? Jyri Hovila (Sep 01)
- <Possible follow-ups>
- Re: Slightly OT: Anyone else seeing TCP traffic from 127.0.0.1:80? Bier_und_Schnaps (Sep 03)