[Snort-users] loopback traffic

Matt Kettler mkettler at ...4108...
Wed May 19 15:57:04 EDT 2004


At 04:11 PM 5/19/2004, Security Personnel wrote:
>Down to some more strangeness ---> the packets are rarely to the same 
>port, they come to EVERY machine on our IP range, and picking apart the 
>headers has given me the originating MAC address of our ISP's gateway machine!

Well, that's not surprising.. all packets inbound from the internet are 
going to have your ISP's gateway machine MAC address on them. It's a 
gateway after all.

So, basically what you can conclude is that someone, somewhere outside your 
network (or at least on the other side of your gateway) has sent a packet 
with 127.0.0.1 as a source address to your network.

This could be a result of deliberate spoofing, it could be a weak DoS 
attempt, or it could just be someone's system is broken and spewing 
malformed packets.

The sending machine could be the ISP's gateway, or any part of your ISPs 
network, or any part of the internet as a general whole.

>Any ideas? any fellow sufferers?

Firewall inbound packets with 127.0.0.1 as a source address?










More information about the Snort-users mailing list