[Snort-users] Re: Bad Loopback Traffic

bclark at ...10956... bclark at ...10956...
Wed Feb 25 10:26:07 EST 2004

My new comments below:

> The best summary of an explanation I have seen is attached below (From
> Dan of the Incidents list).
> Regards,
> Frank
> ---8<---
> -----Forwarded Message-----=20
> From: Dan Hanson <dhanson at ...35...>
> To: incidents at ...35...
> Subject: Administrivia: Are you seeing portscans from source
> source port 80?
> Date: Tue, 28 Oct 2003 08:59:56 -0700
> I am posting this in the hopes of dulling the 5-6 messages I get every
> day
> that are reporting port scans to their network all of which have a
> source
> IP of and source port 80.
> It is likely Blaster (check your favourite AV site for a writeup, I
> won't
> summarize here).
> The reason that people are seeing this has to do with some very bad
> advice
> that was given early in the blaster outbreak. The advice basically was
> that to protect the Internet from the DoS attack that was to hit
> windowsupdate.com, all DNS servers should return for queries
> to
> windowsupdate.com. Essentially these suggestions were suggesting that
> hosts should commit suicide to protect the Internet.
> The problem is that the DoS routine spoofs the source address, so when
> windowsupdate.com resolves to the following happens.
> Infected host picks address as source address and sends Syn packet to
> port 80. (Sends it to itself) (This never makes it on the
> wire,
> you will not see this part)
> TCP/IP stack receives packet, responds with reset (if there is nothing
> listening on that port), sending the reset to the host with the spoofed
> source address (this is what people are seeing and mistaking for
> portscans)
> Result: It looks like a host is port scanning ephemeral posts using
> packets with source address:port of
> Solution: track back the packets by MAC address to find hte infected
> machine. Turn of NS resolution of windowsupdate.com to
> Hope that helps
> D

Not sure that is it because the destination is port 80 not local host, but
I do see the packet have a FIN flag. Most of the time the destinations are
within the Class A that my class C belong too.


More information about the Snort-users mailing list