Snort mailing list archives
Re: Re[2]: Strange Loopback Traffic
From: Frank Knobbe <frank () knobbe us>
Date: Fri, 10 Oct 2003 14:11:03 -0500
On Wed, 2003-10-08 at 04:10, Jyri Hovila wrote:
I wrote about the same phenomenon to the list some time ago. Joachim had the answer:this behaviour could stem from the measure of some companies to disarm the Blaster.A DDOS attack. They modified theit DNS Servers to resolve windowsupdate.com to 127.0.0.1. By doing that, the requests of infected clients to DDOS windowsupdate.com weren't routed over the network. But as a result of that measure, RST ACK pakets with SRC 127.0.0.1:80 to <RandomIP> occurred, as most of the infected clients didn't have a webserver listening on 127.0.0.1:80 and therefore the connection was declined. Maybe that explains the odd pakets you recognize.
That doesn't seem to fit my scenario. Where I see those packets, they are coming from the Internet. The Src is 127.0.0.1:80 with the MAC address of the Internet router, and destinations are <client-IPs>:<random-high-port> with the MAC address being internal (i.e. firewall, DMZ hosts). They are indeed TCP Reset's, but I never see any packets going out (why should they, 127.0.0.1 isn't on the Internet :) I clearly see spoofed packets coming. Perhaps backscatter from something, but unlikely. And if so, the original src addresses are spoofed since the monitored segments don't send such stuff out. I file this under "junk and other random noise from the Internet" :) Cheers, Frank
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- Strange Loopback Traffic Chad Gross - Loretel (Oct 07)
- Re: Strange Loopback Traffic Frank Knobbe (Oct 07)
- Re[2]: Strange Loopback Traffic Jyri Hovila (Oct 08)
- Re: Re[2]: Strange Loopback Traffic Frank Knobbe (Oct 10)
- SnortCenter Sensor failed to start samwun (Oct 18)
- Re[2]: Strange Loopback Traffic Jyri Hovila (Oct 08)
- <Possible follow-ups>
- Strange Loopback traffic Scott Weller (Oct 10)
- Re: Strange Loopback Traffic Frank Knobbe (Oct 07)