Re: loopback traffic

[Matt Kettler <mkettler () evi-inc com>]

At 04:11 PM 5/19/2004, Security Personnel wrote:
> Down to some more strangeness ---> the packets are rarely to the same 
> port, they come to EVERY machine on our IP range, and picking apart the 
> headers has given me the originating MAC address of our ISP's gateway machine!

Well, that's not surprising.. all packets inbound from the internet are 
going to have your ISP's gateway machine MAC address on them. It's a 
gateway after all.

So, basically what you can conclude is that someone, somewhere outside your 
network (or at least on the other side of your gateway) has sent a packet 
with 127.0.0.1 as a source address to your network.

This could be a result of deliberate spoofing, it could be a weak DoS 
attempt, or it could just be someone's system is broken and spewing 
malformed packets.

The sending machine could be the ISP's gateway, or any part of your ISPs 
network, or any part of the internet as a general whole.

> Any ideas? any fellow sufferers?

Firewall inbound packets with 127.0.0.1 as a source address?








-------------------------------------------------------
This SF.Net email is sponsored by: Oracle 10g
Get certified on the hottest thing ever to hit the market... Oracle 10g. 
Take an Oracle 10g class now, and we'll give you the exam FREE.
http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users