[unisog] Scans from loopback address?

Lois Lehman LOIS.LEHMAN at asu.edu
Sun Sep 7 21:27:37 GMT 2003


Beth, I noticed similar traffic from different IDS machines here at ASU that
started on Thursday.  We also were having problems with our web page for
DHCP subscription at the same time.  It looks like there is some correlation
between the scanning and all the inability to access the web page for new
subscriptions.  All the target IP#s we see in our logs were previously
subscribed to DHCP.  None of our static IP#s were scanned in this manner.

Snippet from the Snort log:

[**] [1:528:3] BAD TRAFFIC loopback traffic [**]
[Classification: Potentially Bad Traffic] [Priority: 2] 
09/05-12:06:10.437188 127.0.0.1:80 -> 149.169.xx.xx:1426
TCP TTL:127 TOS:0x0 ID:46825 IpLen:20 DgmLen:40
***A*R** Seq: 0x0  Ack: 0x295D0001  Win: 0x0  TcpLen: 20
[Xref => http://rr.sans.org/firewall/egress.php]

I'd love to hear from anyone else who has seen this and, better yet, an
explanation of the activity.  

Thanks!
Lois

Lois Lehman
College Network Security Manager
Physical Sciences Computer Support Manager
College of Liberal Arts & Sciences
Arizona State University
480-965-3139


-----Original Message-----
From: Young, Beth A. [mailto:youngba at more.net] 
Sent: Friday, September 05, 2003 1:23 PM
To: unisog at sans.org
Subject: [unisog] Scans from loopback address?

We have noticed something very odd on our backbone this afternoon.  It
started with a downstream University site noticing that they were being
scanned by the loopback address (127.0.0.1).  We originally thought it
was probably a configuration goof so we started watching the traffic as
it flowed through our core routers, using Netflow (see snippet).

Why would somebody try scanning the network using the loopback address?
If they are using it as a decoy IP, isn't it a little too obvious?
Also, occasionally, instead of hitting an IP once, it comes back 62
times.  We are watching some of these IPs to see if we can find more
information but it is strange enough to solicit other expert opinions.
Is anybody seeing something similar?

Regards,
Beth Young
MOREnet Security


Start time          End time            src/dst   Src IP          Dst IP
in/out      in/out     ot  src/dst         flg Pkts    Bytes
------------------- ------------------- --------- ---------------
--------------- ----------- ---------  --  ----------- --- --- -----
-------
2003/09/05-14:36:33 2003/09/05-14:36:33   -1  153 127.0.0.1
207.160.XXX.176     0  2572  127    4   6    80  1138   0   0     1
40
2003/09/05-14:36:33 2003/09/05-14:36:33   -1   58 127.0.0.1
207.160.XX.49       0  2572  127  737   6    80  1699   0   0     1
40
2003/09/05-14:36:45 2003/09/05-14:36:45   -1  267 127.0.0.1
207.160.XX.116      0  2572  127  843   6    80  1064   0   0     1
40
2003/09/05-14:35:41 2003/09/05-14:35:41   -1  147 127.0.0.1
207.160.XXX.76      0  2572  127    4   6    80  1474   0   0     1
40
2003/09/05-14:39:56 2003/09/05-14:39:56   -1 1024 127.0.0.1
207.160.XXX.149     0  2572  127    4   6    80  1396   0   0     1
40
2003/09/05-14:34:27 2003/09/05-14:34:27   -1  630 127.0.0.1
207.160.XXX.220     0  2572  127    4   6    80  1107   0   0     1
40
2003/09/05-14:37:06 2003/09/05-14:37:06   -1   -1 127.0.0.1
207.160.XXX.87      0  2572  127    4   6    80  1795   0   0     1
40
2003/09/05-14:38:07 2003/09/05-14:38:07   -1   -1 127.0.0.1
207.160.XXX.2       0  2572  127    4   6    80  1743   0   0     1
40
2003/09/05-14:35:04 2003/09/05-14:35:07   -1  124 127.0.0.1
207.160.XX.39       0  2572  329  255   6    80  1531   0   0    62
2480
2003/09/05-14:36:28 2003/09/05-14:36:28   -1  237 127.0.0.1
207.160.XXX.51      0  2572  127    4   6    80  1399   0   0     1
40
2003/09/05-14:35:16 2003/09/05-14:35:16   -1 1213 127.0.0.1
207.160.X.68        0  2572  127  193   6    80  1196   0   0     1
40


More information about the unisog mailing list