[Snort-users] Re: Slightly OT: Anyone else seeing TCP traffic from 127.0.0.1:80?

Bier_und_Schnaps at ...348... Bier_und_Schnaps at ...348...
Wed Sep 3 05:20:04 EDT 2003


Hi,

this behaviour could stem from the measure of some companies to disarm the
Blaster.A DDOS attack. They modified theit DNS Servers to resolve
windowsupdate.com to 127.0.0.1. By doing that, the requests of infected clients to DDOS
windowsupdate.com weren't routed over the network. But as a result of that
measure, RST ACK pakets with SRC 127.0.0.1:80 to <RandomIP> occurred, as most of
the infected clients didn't have a webserver listening on 127.0.0.1:80 and
therefore the connection was declined.
Maybe that explains the odd pakets you recognize.

Regards Joachim


-- 
COMPUTERBILD 15/03: Premium-e-mail-Dienste im Test
--------------------------------------------------
1. GMX TopMail - Platz 1 und Testsieger!
2. GMX ProMail - Platz 2 und Preis-Qualitätssieger!
3. Arcor - 4. web.de - 5. T-Online - 6. freenet.de - 7. daybyday - 8. e-Post





More information about the Snort-users mailing list