Snort mailing list archives
Re[2]: Strange Loopback Traffic
From: Jyri Hovila <jyri.hovila () iki fi>
Date: Wed, 8 Oct 2003 12:10:52 +0300
Hi!
I have a single snort host with dual nics, one monitoring internal traffic, one monitoring external traffic (setup in stealth mode). I consistently see this traffic: BAD-TRAFFIC loopback traffic 127.0.0.1:80 W.X.Y.Z:1969 BAD-TRAFFIC loopback traffic 127.0.0.1:80 W.X.Y.Z:1369 BAD-TRAFFIC loopback traffic 127.0.0.1:80 W.X.Y.Z:1177
I wrote about the same phenomenon to the list some time ago. Joachim had the answer:
this behaviour could stem from the measure of some companies to disarm the Blaster.A DDOS attack. They modified theit DNS Servers to resolve windowsupdate.com to 127.0.0.1. By doing that, the requests of infected clients to DDOS windowsupdate.com weren't routed over the network. But as a result of that measure, RST ACK pakets with SRC 127.0.0.1:80 to <RandomIP> occurred, as most of the infected clients didn't have a webserver listening on 127.0.0.1:80 and therefore the connection was declined. Maybe that explains the odd pakets you recognize.
What I'd like to know is that how come there is so much of this traffic. During the last 12 hours my Snort sensors have catched 51 of these packets. - Jyri ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Strange Loopback Traffic Chad Gross - Loretel (Oct 07)
- Re: Strange Loopback Traffic Frank Knobbe (Oct 07)
- Re[2]: Strange Loopback Traffic Jyri Hovila (Oct 08)
- Re: Re[2]: Strange Loopback Traffic Frank Knobbe (Oct 10)
- SnortCenter Sensor failed to start samwun (Oct 18)
- Re[2]: Strange Loopback Traffic Jyri Hovila (Oct 08)
- <Possible follow-ups>
- Strange Loopback traffic Scott Weller (Oct 10)
- Re: Strange Loopback Traffic Frank Knobbe (Oct 07)