freebsd-security Digest, Vol 61, Issue 3
Neo-Vortex
root at Neo-Vortex.Ath.Cx
Mon Jun 7 06:10:52 GMT 2004
On Mon, 7 Jun 2004, Michael Vlasov wrote:
> On Sat, 29 May 2004 12:00:52 -0700 (PDT),
> <freebsd-security-request at freebsd.org> wrote:
>
> Hello !
>
> Today i see in snort logs :
>
> [**] [1:528:4] BAD-TRAFFIC loopback traffic [**]
> [Classification: Potentially Bad Traffic] [Priority: 2]
> 06/07-09:44:39.044590 127.0.0.1:80 -> 10.6.148.173:1566
> TCP TTL:128 TOS:0x0 ID:577 IpLen:20 DgmLen:40
> ***A*R** Seq: 0x0 Ack: 0x75830001 Win: 0x0 TcpLen: 20
> [Xref => http://rr.sans.org/firewall/egress.php]
>
> [**] [1:528:4] BAD-TRAFFIC loopback traffic [**]
> [Classification: Potentially Bad Traffic] [Priority: 2]
> 06/07-09:44:39.075824 127.0.0.1:80 -> 10.6.249.83:1299
> TCP TTL:128 TOS:0x0 ID:578 IpLen:20 DgmLen:40
> ***A*R** Seq: 0x0 Ack: 0x568A0001 Win: 0x0 TcpLen: 20
> [Xref => http://rr.sans.org/firewall/egress.php]
>
> [**] [1:528:4] BAD-TRAFFIC loopback traffic [**]
> [Classification: Potentially Bad Traffic] [Priority: 2]
> 06/07-09:44:39.107072 127.0.0.1:80 -> 10.6.96.121:1032
> TCP TTL:128 TOS:0x0 ID:579 IpLen:20 DgmLen:40
> ***A*R** Seq: 0x0 Ack: 0x37920001 Win: 0x0 TcpLen: 20
> [Xref => http://rr.sans.org/firewall/egress.php]
>
> Why ? ;-)
Ok, that means that someone (or thing) is spoofing packets to your box
(i know, and so does snort, that its spoofed because the source ip is
127.0.0.1 and its coming in on an interface apart from lo0) this is
sometimes used as a DoS attack (its one of those fun addresses to use as
source addresses for them), although, by the looks of it (because theres
multiple dst-ports being used), someone is using a program like nmap to
portscan your host using a spoofed ip
~Neo-Vortex
More information about the freebsd-security
mailing list