[Snort-users] Suspected DoS: BAD TRAFFIC loopback traffic

Bosse Klykken bosse at ...10584...
Tue Nov 18 07:38:06 EST 2003

Hi, I just wanted to get confirmation from you guys on this, does this
seem to be a DoS attack against my ISP? The destination IP spans
randomly throughout my public IP range, but does not occur more often
than every few minutes.

When I first got this alert, I thought it might be some crazy
misconfigured webserver responding to a request in a weird way, but
after monitoring this for a while, I see that it has no fixed
destination address, and that it goes on and on in off-peak hours as
well. There has been several thousand cases of this kind of bad
traffic the last days.

#(2 - 4126) [2003-11-18 06:25:29]  BAD TRAFFIC loopback traffic
IPv4: -> 194.143.xx.xx
      hlen=5 TOS=0 dlen=40 ID=51371 flags=0 offset=0 TTL=118 chksum=10312
TCP:  port=80 -> dport: 1495  flags=***A*R** seq=0
      ack=423952385 off=5 res=0 win=0 urp=0 chksum=15495
Payload: none

Thanks for your help,
Bosse Klykken - http://www.klykken.com/~bosse - PGP: 0x570ABB4E
Act like nothing's wrong

More information about the Snort-users mailing list