Date: Mon, 7 Jun 2004 16:10:46 +1000 (EST) From: Neo-Vortex <root@Neo-Vortex.Ath.Cx> To: Michael Vlasov <mv@rbr.ru> Cc: freebsd-security@freebsd.org Subject: Re: freebsd-security Digest, Vol 61, Issue 3 Message-ID: <20040607160728.A47101@Neo-Vortex.Ath.Cx> In-Reply-To: <opr87mhdtds10hlf@mv.rbr.ru> References: <20040529190052.25D1916A4CF@hub.freebsd.org> <opr87mhdtds10hlf@mv.rbr.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 7 Jun 2004, Michael Vlasov wrote: > On Sat, 29 May 2004 12:00:52 -0700 (PDT), > <freebsd-security-request@freebsd.org> wrote: > > Hello ! > > Today i see in snort logs : > > [**] [1:528:4] BAD-TRAFFIC loopback traffic [**] > [Classification: Potentially Bad Traffic] [Priority: 2] > 06/07-09:44:39.044590 127.0.0.1:80 -> 10.6.148.173:1566 > TCP TTL:128 TOS:0x0 ID:577 IpLen:20 DgmLen:40 > ***A*R** Seq: 0x0 Ack: 0x75830001 Win: 0x0 TcpLen: 20 > [Xref => http://rr.sans.org/firewall/egress.php] > > [**] [1:528:4] BAD-TRAFFIC loopback traffic [**] > [Classification: Potentially Bad Traffic] [Priority: 2] > 06/07-09:44:39.075824 127.0.0.1:80 -> 10.6.249.83:1299 > TCP TTL:128 TOS:0x0 ID:578 IpLen:20 DgmLen:40 > ***A*R** Seq: 0x0 Ack: 0x568A0001 Win: 0x0 TcpLen: 20 > [Xref => http://rr.sans.org/firewall/egress.php] > > [**] [1:528:4] BAD-TRAFFIC loopback traffic [**] > [Classification: Potentially Bad Traffic] [Priority: 2] > 06/07-09:44:39.107072 127.0.0.1:80 -> 10.6.96.121:1032 > TCP TTL:128 TOS:0x0 ID:579 IpLen:20 DgmLen:40 > ***A*R** Seq: 0x0 Ack: 0x37920001 Win: 0x0 TcpLen: 20 > [Xref => http://rr.sans.org/firewall/egress.php] > > Why ? ;-) Ok, that means that someone (or thing) is spoofing packets to your box (i know, and so does snort, that its spoofed because the source ip is 127.0.0.1 and its coming in on an interface apart from lo0) this is sometimes used as a DoS attack (its one of those fun addresses to use as source addresses for them), although, by the looks of it (because theres multiple dst-ports being used), someone is using a program like nmap to portscan your host using a spoofed ip ~Neo-Vortex
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040607160728.A47101>