[Snort-users] loopback traffic
mkettler at ...4108...
Wed May 19 15:57:04 EDT 2004
At 04:11 PM 5/19/2004, Security Personnel wrote:
>Down to some more strangeness ---> the packets are rarely to the same
>port, they come to EVERY machine on our IP range, and picking apart the
>headers has given me the originating MAC address of our ISP's gateway machine!
Well, that's not surprising.. all packets inbound from the internet are
going to have your ISP's gateway machine MAC address on them. It's a
gateway after all.
So, basically what you can conclude is that someone, somewhere outside your
network (or at least on the other side of your gateway) has sent a packet
with 127.0.0.1 as a source address to your network.
This could be a result of deliberate spoofing, it could be a weak DoS
attempt, or it could just be someone's system is broken and spewing
The sending machine could be the ISP's gateway, or any part of your ISPs
network, or any part of the internet as a general whole.
>Any ideas? any fellow sufferers?
Firewall inbound packets with 127.0.0.1 as a source address?
More information about the Snort-users