Scans from loopback address?

Young, Beth A. youngba at more.net
Fri Sep 5 20:22:58 GMT 2003


We have noticed something very odd on our backbone this afternoon.  It
started with a downstream University site noticing that they were being
scanned by the loopback address (127.0.0.1).  We originally thought it
was probably a configuration goof so we started watching the traffic as
it flowed through our core routers, using Netflow (see snippet).

Why would somebody try scanning the network using the loopback address?
If they are using it as a decoy IP, isn't it a little too obvious?
Also, occasionally, instead of hitting an IP once, it comes back 62
times.  We are watching some of these IPs to see if we can find more
information but it is strange enough to solicit other expert opinions.
Is anybody seeing something similar?

Regards,
Beth Young
MOREnet Security


Start time          End time            src/dst   Src IP          Dst IP
in/out      in/out     ot  src/dst         flg Pkts    Bytes
------------------- ------------------- --------- ---------------
--------------- ----------- ---------  --  ----------- --- --- -----
-------
2003/09/05-14:36:33 2003/09/05-14:36:33   -1  153 127.0.0.1
207.160.XXX.176     0  2572  127    4   6    80  1138   0   0     1
40
2003/09/05-14:36:33 2003/09/05-14:36:33   -1   58 127.0.0.1
207.160.XX.49       0  2572  127  737   6    80  1699   0   0     1
40
2003/09/05-14:36:45 2003/09/05-14:36:45   -1  267 127.0.0.1
207.160.XX.116      0  2572  127  843   6    80  1064   0   0     1
40
2003/09/05-14:35:41 2003/09/05-14:35:41   -1  147 127.0.0.1
207.160.XXX.76      0  2572  127    4   6    80  1474   0   0     1
40
2003/09/05-14:39:56 2003/09/05-14:39:56   -1 1024 127.0.0.1
207.160.XXX.149     0  2572  127    4   6    80  1396   0   0     1
40
2003/09/05-14:34:27 2003/09/05-14:34:27   -1  630 127.0.0.1
207.160.XXX.220     0  2572  127    4   6    80  1107   0   0     1
40
2003/09/05-14:37:06 2003/09/05-14:37:06   -1   -1 127.0.0.1
207.160.XXX.87      0  2572  127    4   6    80  1795   0   0     1
40
2003/09/05-14:38:07 2003/09/05-14:38:07   -1   -1 127.0.0.1
207.160.XXX.2       0  2572  127    4   6    80  1743   0   0     1
40
2003/09/05-14:35:04 2003/09/05-14:35:07   -1  124 127.0.0.1
207.160.XX.39       0  2572  329  255   6    80  1531   0   0    62
2480
2003/09/05-14:36:28 2003/09/05-14:36:28   -1  237 127.0.0.1
207.160.XXX.51      0  2572  127    4   6    80  1399   0   0     1
40
2003/09/05-14:35:16 2003/09/05-14:35:16   -1 1213 127.0.0.1
207.160.X.68        0  2572  127  193   6    80  1196   0   0     1
40



More information about the unisog mailing list