Bad loopback traffic not stopped by ipfw.
Iasen Kostov
tbyte at OTEL.net
Wed Feb 25 06:12:18 PST 2004
Andrew Riabtsev wrote:
>Привет Iasen,
>
>Wednesday, February 25, 2004, 3:37:25 PM, you wrote:
>
>IK> netstat -s -p ip
>IK> .
>IK> .
>IK> .
>IK> 3575124 datagrams with bad address in header
>
>IK> Could it be this that drops "bad" packets before they enter the IPFW ?
>
>To me it would be also interesting to know where this traffic comes
>from. I have same on my local net:
>
># tcpdump -neifxp0 src or dst 127.0.0.1
>tcpdump: listening on fxp0
>16:26:23.280737 0:50:fc:ed:d4:4 0:02:55:b0:90:e4 0800 60: 127.0.0.1.80 > 192.168.141.148.1928: R 0:0(0) ack 1986723841 win 0
>16:26:23.285831 0:d:61:e:3f:c3 0:02:55:b0:90:e4 0800 60: 127.0.0.1.80 > 192.168.213.167.1571: R 0:0(0) ack 812253185 win 0
>16:26:23.287642 0:1:2:9c:cf:e2 0:02:55:b0:90:e4 0800 60: 127.0.0.1.80 > 192.168.118.205.1046: R 0:0(0) ack 1959723009 win 0
>16:26:23.297289 0:4:79:68:14:9c 0:02:55:b0:90:e4 0800 60: 127.0.0.1.80 > 192.168.214.208.1997: R 0:0(0) ack 1905917953 win 0
>16:26:23.297555 0:c0:df:13:87:c4 0:02:55:b0:90:e4 0800 60: 127.0.0.1.80 > 192.168.53.212.1836: R 0:0(0) ack 1137442817 win 0
>
>dst mac-address is mac of fxp0 and src addresses is macs from local
>net not just nonexistent macs. It could be some kind of attack or it
>is flood from broken device in local net or maybe something else, i'll
>try to find it out. Let me know if You find out something new.
>
> Andrew mailto:resident at b-o.ru
>
>
>
>
Yes I see milions of packets of that type too ... What is the OS of
the computer sending this packets ? It could be a trojan-flooder or
something like that or a broken wind0ze driver ...
More information about the freebsd-net
mailing list