[unisog] Scans from loopback address?
E. Larry Lidz
ellidz at uchicago.edu
Mon Sep 8 02:40:27 GMT 2003
Lois Lehman writes:
>Snippet from the Snort log:
>[**] [1:528:3] BAD TRAFFIC loopback traffic [**]
>[Classification: Potentially Bad Traffic] [Priority: 2]
>09/05-12:06:10.437188 127.0.0.1:80 -> 149.169.xx.xx:1426
>TCP TTL:127 TOS:0x0 ID:46825 IpLen:20 DgmLen:40
>***A*R** Seq: 0x0 Ack: 0x295D0001 Win: 0x0 TcpLen: 20
>[Xref => http://rr.sans.org/firewall/egress.php]
>I'd love to hear from anyone else who has seen this and, better yet, an
>explanation of the activity.
Do your DNS servers have windowsupdate.com returning loopback as the
IP? Some people did this to prevent Blaster from DoS'ing Microsoft, and
this is what appens...
E. Larry Lidz Phone: +1 773 702-2208
Sr. Network Security Officer Fax: +1 773 834-8444
Network Security Center, The University of Chicago
More information about the unisog