Re: Re[2]: Strange Loopback Traffic

[Frank Knobbe <frank () knobbe us>]

On Wed, 2003-10-08 at 04:10, Jyri Hovila wrote:
> I wrote about the same phenomenon to the list some time ago. Joachim had
> the answer:
>
> > this behaviour could stem from the measure of some companies to disarm the
> > Blaster.A DDOS attack. They modified theit DNS Servers to resolve
> > windowsupdate.com to 127.0.0.1. By doing that, the requests of infected clients to DDOS
> > windowsupdate.com weren't routed over the network. But as a result of that
> > measure, RST ACK pakets with SRC 127.0.0.1:80 to <RandomIP> occurred, as most of
> > the infected clients didn't have a webserver listening on 127.0.0.1:80 and
> > therefore the connection was declined.
> > Maybe that explains the odd pakets you recognize.


That doesn't seem to fit my scenario. Where I see those packets, they
are coming from the Internet. The Src is 127.0.0.1:80 with the MAC
address of the Internet router, and destinations are
<client-IPs>:<random-high-port> with the MAC address being internal
(i.e. firewall, DMZ hosts). They are indeed TCP Reset's, but I never see
any packets going out (why should they, 127.0.0.1 isn't on the Internet
:)

I clearly see spoofed packets coming. Perhaps backscatter from
something, but unlikely. And if so, the original src addresses are
spoofed since the monitored segments don't send such stuff out.

I file this under "junk and other random noise from the Internet" :)

Cheers,
Frank

Attachment: signature.asc
Description: This is a digitally signed message part