Date: Mon, 22 Sep 2003 10:29:46 -0700 From: Kris Kennaway <kris@obsecurity.org> To: Pertti Kosunen <pertti.kosunen@kolumbus.fi> Cc: Kris Kennaway <kris@obsecurity.org> Subject: Re: [snort] BAD-TRAFFIC loopback traffic 4.9-PRE Message-ID: <20030922172946.GB47243@rot13.obsecurity.org> In-Reply-To: <00b801c380f5$aaef7af0$0b00000a@arenanet.fi> References: <030501c37f99$4beb9500$0b00000a@arenanet.fi> <20030920210527.GB38264@rot13.obsecurity.org> <00b801c380f5$aaef7af0$0b00000a@arenanet.fi>
next in thread | previous in thread | raw e-mail | index | archive | help
--U+BazGySraz5kW0T Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Sep 22, 2003 at 01:38:30PM +0300, Pertti Kosunen wrote: > >> What could cause this loopback traffic? > > > > Forged source address on a network with no egress filtering. > > > > Kris >=20 > Ok i put the ipfw on with the default simple mode. > ipfw -a l > 00100 0 0 allow ip from any to any via lo0 > 00200 0 0 deny ip from any to 127.0.0.0/8 > 00300 0 0 deny ip from 127.0.0.0/8 to any > ... >=20 > Still get this: > tcpdump: listening on xl0 > 12:51:15.736517 0:90:1a:40:1f:db 0:50:da:ca:61:e9 0800 60: 127.0.0.1.80 > > out.ip.1165: R 0:0(0) ack 1416364033 win 0 > 12:51:19.092168 0:90:1a:40:1f:db 0:50:da:ca:61:e9 0800 60: 127.0.0.1.80 > > out.ip.1284: R 0:0(0) ack 72679425 win 0 > 12:52:32.717702 0:90:1a:40:1f:db 0:50:da:ca:61:e9 0800 60: 127.0.0.1.80 > > out.ip.1667: R 0:0(0) ack 1243086849 win 0 >=20 > 0:90:1a:40:1f:db Is default gateways (ISP) mac address, xl0 0:50:da:ca:61= :e9 > is my outside net card. >=20 > Is this normal traffic and what i should check next? Yes, and ipfw should be denying the packets. Is it not doing so? Note that you'll still see them on the wire from the external network, because ipfw can't make the packets disappear en route into the machine, it can only deny them once they get there. Kris --U+BazGySraz5kW0T Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (FreeBSD) iD8DBQE/bzGKWry0BWjoQKURAj3cAKCD8A6ow2fvGY0D1hYtEItXrQIqNwCcD+lg WeLLbaMwCBodsbkyVpMEtpw= =VGpR -----END PGP SIGNATURE----- --U+BazGySraz5kW0T--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030922172946.GB47243>