[unisog] Scans from loopback address?

John Kristoff jkristof at condor.depaul.edu
Sun Sep 7 18:02:01 GMT 2003


On Fri, Sep 05, 2003 at 03:22:58PM -0500, Young, Beth A. wrote:
> Why would somebody try scanning the network using the loopback address?

They probably wouldn't.  It may be an intentional denial of service
attack, where the source IP is spoofed using the loopback or, more
likely, something is misconfigured, or even possibly a little bit of
both.
 
> times.  We are watching some of these IPs to see if we can find more
> information but it is strange enough to solicit other expert opinions.
> Is anybody seeing something similar?

We do not forward with a source of IP 127/8 or most any other bogus
addresses and I'd recommend that you consider implementing similar
tactics in the network to completely stop obvious bogus traffic from
getting forwarded by any router interface.  You can use filters/ACLs,
some form of uRPF checking or blackhole routing to name the most
common techniques (some use a combination).

John



More information about the unisog mailing list