[unisog] Scans from loopback address?

E. Larry Lidz ellidz at uchicago.edu
Mon Sep 8 02:40:27 GMT 2003


Lois Lehman writes:
>Snippet from the Snort log:
>
>[**] [1:528:3] BAD TRAFFIC loopback traffic [**]
>[Classification: Potentially Bad Traffic] [Priority: 2] 
>09/05-12:06:10.437188 127.0.0.1:80 -> 149.169.xx.xx:1426
>TCP TTL:127 TOS:0x0 ID:46825 IpLen:20 DgmLen:40
>***A*R** Seq: 0x0  Ack: 0x295D0001  Win: 0x0  TcpLen: 20
>[Xref => http://rr.sans.org/firewall/egress.php]
>
>I'd love to hear from anyone else who has seen this and, better yet, an
>explanation of the activity.  

Do your DNS servers have windowsupdate.com returning loopback as the
IP? Some people did this to prevent Blaster from DoS'ing Microsoft, and
this is what appens...

-Larry

---
E. Larry Lidz                                        Phone: +1 773 702-2208
Sr. Network Security Officer                         Fax:   +1 773 834-8444
Network Security Center, The University of Chicago
PGP: http://security.uchicago.edu/centerinfo/pgpkeys.shtml



More information about the unisog mailing list