[unisog] Scans from loopback address?

E. Larry Lidz ellidz at uchicago.edu
Mon Sep 8 02:40:27 GMT 2003

Lois Lehman writes:
>Snippet from the Snort log:
>[**] [1:528:3] BAD TRAFFIC loopback traffic [**]
>[Classification: Potentially Bad Traffic] [Priority: 2] 
>09/05-12:06:10.437188 -> 149.169.xx.xx:1426
>TCP TTL:127 TOS:0x0 ID:46825 IpLen:20 DgmLen:40
>***A*R** Seq: 0x0  Ack: 0x295D0001  Win: 0x0  TcpLen: 20
>[Xref => http://rr.sans.org/firewall/egress.php]
>I'd love to hear from anyone else who has seen this and, better yet, an
>explanation of the activity.  

Do your DNS servers have windowsupdate.com returning loopback as the
IP? Some people did this to prevent Blaster from DoS'ing Microsoft, and
this is what appens...


E. Larry Lidz                                        Phone: +1 773 702-2208
Sr. Network Security Officer                         Fax:   +1 773 834-8444
Network Security Center, The University of Chicago
PGP: http://security.uchicago.edu/centerinfo/pgpkeys.shtml

More information about the unisog mailing list