[Dshield] Spoofed attack from IP 127.0.0.1

Blanchard, Joe BLANCHAJ at bsci.com
Tue Oct 28 16:27:57 GMT 2003


I would contact your upstream provider and have them block the
127/16 sourced addresses. Sounds like a sudo-denial of service
and chances are your upstream/ISP has the bandwidth to handle it, as
well they may be able to trace the origin.

Cheers
-Joe

-----Original Message-----
From: Deb Hale [mailto:haled at pionet.net]
Sent: Tuesday, October 28, 2003 10:32 AM
To: 'General DShield Discussion List'
Subject: RE: [Dshield] Spoofed attack from IP 127.0.0.1


I am seeing the same thing on one of my Internet connections.  I am trying
to figure out what is going on.  If anyone has any ideas, I would appreciate
input.  Deb




Hi,

We are under spoofed attack from IP 127.0.0.1 almost every minute.  Is there
anything I can do?

Thanks,
Dusanka

PS: Here are few log records:
2003-10-28	13:51:45	127.0.0.1	66.28.8.96	Tcp	80
1310	RST ACK 	Spoof	66.28.20.42	45 00 00 28 1e 57 00 00 77
06 5b fc 7f 00 00 01 42 1c 08 60	00 50 05 1e 00 00 00 00 09 fd 00 01
50 14 00 00 d6 e7 00 00
2003-10-28	13:54:19	127.0.0.1	66.28.8.108	Tcp	80
1131	RST ACK 	Spoof	66.28.20.42	45 00 00 28 47 e0 00 00 77
06 32 67 7f 00 00 01 42 1c 08 6c	00 50 04 6b 00 00 00 00 10 e3 00 01
50 14 00 00 d0 a8 00 00
2003-10-28	13:54:27	127.0.0.1	66.28.8.126	Tcp	80
1346	RST ACK 	Spoof	66.28.20.42	45 00 00 28 4a 90 00 00 77
06 2f a5 7f 00 00 01 42 1c 08 7e	00 50 05 42 00 00 00 00 31 9d 00 01
50 14 00 00 af 05 00 00
2003-10-28	13:54:27	127.0.0.1	66.28.8.126	Tcp	80
1346	RST ACK 	Spoof	66.28.20.42	45 00 00 28 4a 90 00 00 77
06 2f a5 7f 00 00 01 42 1c 08 7e	00 50 05 42 00 00 00 00 31 9d 00 01
50 14 00 00 af 05 00 00
2003-10-28	13:57:15	127.0.0.1	66.28.8.101	Tcp	80
1400	RST ACK 	Spoof	66.28.20.42	45 00 00 28 77 ec 00 00 77
06 02 62 7f 00 00 01 42 1c 08 65	00 50 05 78 00 00 00 00 13 6e 00 01
50 14 00 00 cd 17 00 00
2003-10-28	13:58:21	127.0.0.1	66.28.8.101	Tcp	80
1547	RST ACK 	Spoof	66.28.20.42	45 00 00 28 89 d3 00 00 77
06 f0 7a 7f 00 00 01 42 1c 08 65	00 50 06 0b 00 00 00 00 09 21 00 01
50 14 00 00 d6 d1 00 00
2003-10-28	13:58:45	127.0.0.1	66.28.8.15	Tcp	80
1938	RST ACK 	BLOCKED	66.28.20.42	45 00 00 28 90 4e 00 00 77
06 ea 55 7f 00 00 01 42 1c 08 0f	00 50 07 92 00 00 00 00 3d 67 00 01
50 14 00 00 a1 5a 00 00
2003-10-28	13:59:09	127.0.0.1	66.28.8.113	Tcp	80
1154	RST ACK 	Spoof	66.28.20.42	45 00 00 28 96 8c 00 00 77
06 e3 b5 7f 00 00 01 42 1c 08 71	00 50 04 82 00 00 00 00 29 87 00 01
50 14 00 00 b7 e8 00 00
2003-10-28	13:59:28	127.0.0.1	66.28.8.112	Tcp	80
1023	RST ACK 	Spoof	66.28.20.42	45 00 00 28 9b 83 00 00 77
06 de bf 7f 00 00 01 42 1c 08 70	00 50 03 ff 00 00 00 00 70 bc 00 01
50 14 00 00 71 37 00 00
2003-10-28	14:01:24	127.0.0.1	66.28.8.97	Tcp	80
1681	RST ACK 	Spoof	66.28.20.42	45 00 00 28 b9 c4 00 00 77
06 c0 8d 7f 00 00 01 42 1c 08 61	00 50 06 91 00 00 00 00 1c 1a 00 01
50 14 00 00 c3 56 00 00
2003-10-28	14:01:43	127.0.0.1	66.28.8.96	Tcp	80
1782	RST ACK 	Spoof	66.28.20.42	45 00 00 28 be a2 00 00 77
06 bb b0 7f 00 00 01 42 1c 08 60	00 50 06 f6 00 00 00 00 63 4f 00 01
50 14 00 00 7b bd 00 00
2003-10-28	14:02:14	127.0.0.1	66.28.8.14	Tcp	80
1037	RST ACK 	BLOCKED	66.28.20.42	45 00 00 28 c6 bd 00 00 77
06 b3 e7 7f 00 00 01 42 1c 08 0e	00 50 04 0d 00 00 00 00 28 03 00 01
50 14 00 00 ba 44 00 00
2003-10-28	14:03:12	127.0.0.1	66.28.8.106	Tcp	80
1338	RST ACK 	Spoof	66.28.20.42	45 00 00 28 d6 6e 00 00 77
06 a3 da 7f 00 00 01 42 1c 08 6a	00 50 05 3a 00 00 00 00 21 c5 00 01
50 14 00 00 be f9 00 00
2003-10-28	14:03:30	127.0.0.1	66.28.8.105	Tcp	80
1439	RST ACK 	Spoof	66.28.20.42	45 00 00 28 db 3b 00 00 77
06 9f 0e 7f 00 00 01 42 1c 08 69	00 50 05 9f 00 00 00 00 68 fa 00 01
50 14 00 00 77 60 00 00
2003-10-28	14:03:42	127.0.0.1	66.28.8.118	Tcp	80
1075	RST ACK 	Spoof	66.28.20.42	45 00 00 28 de 63 00 00 77
06 9b d9 7f 00 00 01 42 1c 08 76	00 50 04 33 00 00 00 00 7a f7 00 01
50 14 00 00 66 c2 00 00
2003-10-28	14:04:54	127.0.0.1	66.28.8.12	Tcp	80
1091	RST ACK 	BLOCKED	66.28.20.42	45 00 00 28 f4 5f 00 00 77
06 86 47 7f 00 00 01 42 1c 08 0c	00 50 04 43 00 00 00 00 64 21 00 01
50 14 00 00 7d f2 00 00
2003-10-28	14:06:33	127.0.0.1	66.28.8.101	Tcp	80
1573	RST ACK 	Spoof	66.28.20.42	45 00 00 28 0e 03 00 00 77
06 6c 4b 7f 00 00 01 42 1c 08 65	00 50 06 25 00 00 00 00 7b f3 00 01
50 14 00 00 63 e5 00 00
2003-10-28	14:06:44	127.0.0.1	66.28.8.114	Tcp	80
1209	RST ACK 	Spoof	66.28.20.42	45 00 00 28 11 25 00 00 77
06 69 1c 7f 00 00 01 42 1c 08 72	00 50 04 b9 00 00 00 00 0d f0 00 01
50 14 00 00 d3 47 00 00
2003-10-28	14:07:03	127.0.0.1	66.28.8.113	Tcp	80
1310	RST ACK 	Spoof	66.28.20.42	45 00 00 28 15 e8 00 00 77
06 64 5a 7f 00 00 01 42 1c 08 71	00 50 05 1e 00 00 00 00 55 25 00 01
50 14 00 00 8b ae 00 00
2003-10-28	14:07:51	127.0.0.1	66.28.8.126	Tcp	80
1685	RST ACK 	Spoof	66.28.20.42	45 00 00 28 22 de 00 00 77
06 57 57 7f 00 00 01 42 1c 08 7e	00 50 06 95 00 00 00 00 75 8b 00 01
50 14 00 00 69 c4 00 00



_______________________________________________
list mailing list
list at dshield.org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list


_______________________________________________
list mailing list
list at dshield.org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list




More information about the list mailing list