Snort mailing list archives
Re: Slightly OT: Anyone else seeing TCP traffic from 127.0.0.1:80?
From: Bier_und_Schnaps () gmx de
Date: Wed, 3 Sep 2003 14:19:00 +0200 (MEST)
Hi, this behaviour could stem from the measure of some companies to disarm the Blaster.A DDOS attack. They modified theit DNS Servers to resolve windowsupdate.com to 127.0.0.1. By doing that, the requests of infected clients to DDOS windowsupdate.com weren't routed over the network. But as a result of that measure, RST ACK pakets with SRC 127.0.0.1:80 to <RandomIP> occurred, as most of the infected clients didn't have a webserver listening on 127.0.0.1:80 and therefore the connection was declined. Maybe that explains the odd pakets you recognize. Regards Joachim -- COMPUTERBILD 15/03: Premium-e-mail-Dienste im Test -------------------------------------------------- 1. GMX TopMail - Platz 1 und Testsieger! 2. GMX ProMail - Platz 2 und Preis-Qualitätssieger! 3. Arcor - 4. web.de - 5. T-Online - 6. freenet.de - 7. daybyday - 8. e-Post ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Slightly OT: Anyone else seeing TCP traffic from 127.0.0.1:80? Jyri Hovila (Sep 01)
- <Possible follow-ups>
- Re: Slightly OT: Anyone else seeing TCP traffic from 127.0.0.1:80? Bier_und_Schnaps (Sep 03)