[Dshield] Spoofed attack from IP 127.0.0.1

Keith Bergen keith at keithbergen.com
Tue Oct 28 17:26:36 GMT 2003


Deb,

I don't know if this relates or not, but I posted last week that I saw a
number of IP ranges that resolved to "localhost" rather than an actual
domain name. See thread "Class C resolves to localhost".

Perhaps that has something to do with what you are seeing?

Keith.

-----Original Message-----
From: list-bounces at dshield.org [mailto:list-bounces at dshield.org] On Behalf
Of Deb Hale
Sent: Tuesday, October 28, 2003 10:32 AM
To: 'General DShield Discussion List'
Subject: RE: [Dshield] Spoofed attack from IP 127.0.0.1


I am seeing the same thing on one of my Internet connections.  I am trying
to figure out what is going on.  If anyone has any ideas, I would appreciate
input.  Deb




Hi,

We are under spoofed attack from IP 127.0.0.1 almost every minute.  Is there
anything I can do?

Thanks,
Dusanka

PS: Here are few log records:
2003-10-28	13:51:45	127.0.0.1	66.28.8.96	Tcp	80
1310	RST ACK 	Spoof	66.28.20.42	45 00 00 28 1e 57 00 00 77
06 5b fc 7f 00 00 01 42 1c 08 60	00 50 05 1e 00 00 00 00 09 fd 00 01
50 14 00 00 d6 e7 00 00
2003-10-28	13:54:19	127.0.0.1	66.28.8.108	Tcp	80
1131	RST ACK 	Spoof	66.28.20.42	45 00 00 28 47 e0 00 00 77
06 32 67 7f 00 00 01 42 1c 08 6c	00 50 04 6b 00 00 00 00 10 e3 00 01
50 14 00 00 d0 a8 00 00
2003-10-28	13:54:27	127.0.0.1	66.28.8.126	Tcp	80
1346	RST ACK 	Spoof	66.28.20.42	45 00 00 28 4a 90 00 00 77
06 2f a5 7f 00 00 01 42 1c 08 7e	00 50 05 42 00 00 00 00 31 9d 00 01
50 14 00 00 af 05 00 00
2003-10-28	13:54:27	127.0.0.1	66.28.8.126	Tcp	80
1346	RST ACK 	Spoof	66.28.20.42	45 00 00 28 4a 90 00 00 77
06 2f a5 7f 00 00 01 42 1c 08 7e	00 50 05 42 00 00 00 00 31 9d 00 01
50 14 00 00 af 05 00 00
2003-10-28	13:57:15	127.0.0.1	66.28.8.101	Tcp	80
1400	RST ACK 	Spoof	66.28.20.42	45 00 00 28 77 ec 00 00 77
06 02 62 7f 00 00 01 42 1c 08 65	00 50 05 78 00 00 00 00 13 6e 00 01
50 14 00 00 cd 17 00 00
2003-10-28	13:58:21	127.0.0.1	66.28.8.101	Tcp	80
1547	RST ACK 	Spoof	66.28.20.42	45 00 00 28 89 d3 00 00 77
06 f0 7a 7f 00 00 01 42 1c 08 65	00 50 06 0b 00 00 00 00 09 21 00 01
50 14 00 00 d6 d1 00 00
2003-10-28	13:58:45	127.0.0.1	66.28.8.15	Tcp	80
1938	RST ACK 	BLOCKED	66.28.20.42	45 00 00 28 90 4e 00 00 77
06 ea 55 7f 00 00 01 42 1c 08 0f	00 50 07 92 00 00 00 00 3d 67 00 01
50 14 00 00 a1 5a 00 00
2003-10-28	13:59:09	127.0.0.1	66.28.8.113	Tcp	80
1154	RST ACK 	Spoof	66.28.20.42	45 00 00 28 96 8c 00 00 77
06 e3 b5 7f 00 00 01 42 1c 08 71	00 50 04 82 00 00 00 00 29 87 00 01
50 14 00 00 b7 e8 00 00
2003-10-28	13:59:28	127.0.0.1	66.28.8.112	Tcp	80
1023	RST ACK 	Spoof	66.28.20.42	45 00 00 28 9b 83 00 00 77
06 de bf 7f 00 00 01 42 1c 08 70	00 50 03 ff 00 00 00 00 70 bc 00 01
50 14 00 00 71 37 00 00
2003-10-28	14:01:24	127.0.0.1	66.28.8.97	Tcp	80
1681	RST ACK 	Spoof	66.28.20.42	45 00 00 28 b9 c4 00 00 77
06 c0 8d 7f 00 00 01 42 1c 08 61	00 50 06 91 00 00 00 00 1c 1a 00 01
50 14 00 00 c3 56 00 00
2003-10-28	14:01:43	127.0.0.1	66.28.8.96	Tcp	80
1782	RST ACK 	Spoof	66.28.20.42	45 00 00 28 be a2 00 00 77
06 bb b0 7f 00 00 01 42 1c 08 60	00 50 06 f6 00 00 00 00 63 4f 00 01
50 14 00 00 7b bd 00 00
2003-10-28	14:02:14	127.0.0.1	66.28.8.14	Tcp	80
1037	RST ACK 	BLOCKED	66.28.20.42	45 00 00 28 c6 bd 00 00 77
06 b3 e7 7f 00 00 01 42 1c 08 0e	00 50 04 0d 00 00 00 00 28 03 00 01
50 14 00 00 ba 44 00 00
2003-10-28	14:03:12	127.0.0.1	66.28.8.106	Tcp	80
1338	RST ACK 	Spoof	66.28.20.42	45 00 00 28 d6 6e 00 00 77
06 a3 da 7f 00 00 01 42 1c 08 6a	00 50 05 3a 00 00 00 00 21 c5 00 01
50 14 00 00 be f9 00 00
2003-10-28	14:03:30	127.0.0.1	66.28.8.105	Tcp	80
1439	RST ACK 	Spoof	66.28.20.42	45 00 00 28 db 3b 00 00 77
06 9f 0e 7f 00 00 01 42 1c 08 69	00 50 05 9f 00 00 00 00 68 fa 00 01
50 14 00 00 77 60 00 00
2003-10-28	14:03:42	127.0.0.1	66.28.8.118	Tcp	80
1075	RST ACK 	Spoof	66.28.20.42	45 00 00 28 de 63 00 00 77
06 9b d9 7f 00 00 01 42 1c 08 76	00 50 04 33 00 00 00 00 7a f7 00 01
50 14 00 00 66 c2 00 00
2003-10-28	14:04:54	127.0.0.1	66.28.8.12	Tcp	80
1091	RST ACK 	BLOCKED	66.28.20.42	45 00 00 28 f4 5f 00 00 77
06 86 47 7f 00 00 01 42 1c 08 0c	00 50 04 43 00 00 00 00 64 21 00 01
50 14 00 00 7d f2 00 00
2003-10-28	14:06:33	127.0.0.1	66.28.8.101	Tcp	80
1573	RST ACK 	Spoof	66.28.20.42	45 00 00 28 0e 03 00 00 77
06 6c 4b 7f 00 00 01 42 1c 08 65	00 50 06 25 00 00 00 00 7b f3 00 01
50 14 00 00 63 e5 00 00
2003-10-28	14:06:44	127.0.0.1	66.28.8.114	Tcp	80
1209	RST ACK 	Spoof	66.28.20.42	45 00 00 28 11 25 00 00 77
06 69 1c 7f 00 00 01 42 1c 08 72	00 50 04 b9 00 00 00 00 0d f0 00 01
50 14 00 00 d3 47 00 00
2003-10-28	14:07:03	127.0.0.1	66.28.8.113	Tcp	80
1310	RST ACK 	Spoof	66.28.20.42	45 00 00 28 15 e8 00 00 77
06 64 5a 7f 00 00 01 42 1c 08 71	00 50 05 1e 00 00 00 00 55 25 00 01
50 14 00 00 8b ae 00 00
2003-10-28	14:07:51	127.0.0.1	66.28.8.126	Tcp	80
1685	RST ACK 	Spoof	66.28.20.42	45 00 00 28 22 de 00 00 77
06 57 57 7f 00 00 01 42 1c 08 7e	00 50 06 95 00 00 00 00 75 8b 00 01
50 14 00 00 69 c4 00 00



_______________________________________________
list mailing list
list at dshield.org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list


_______________________________________________
list mailing list
list at dshield.org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list




More information about the list mailing list