[Snort-users] loopback traffic
guardian at ...11830...
Wed May 19 16:46:03 EDT 2004
>At 04:11 PM 5/19/2004, Security Personnel wrote:
>>Down to some more strangeness ---> the packets are rarely to the same
>>port, they come to EVERY machine on our IP range, and picking apart the
>>headers has given me the originating MAC address of our ISP's gateway machine!
>Well, that's not surprising.. all packets inbound from the internet are
>going to have your ISP's gateway machine MAC address on them. It's a
>gateway after all.
Exactly, the surpising part is that the ISP isn't filtering this
traffic. Maybe I am expecting too much, I suppose that would be a big
job, but we're paying quite a bit of money for the connection. I
actually called the ISP, and spoke with the techs there. They didn't
really know what I was talking about, unfortuanately.
>So, basically what you can conclude is that someone, somewhere outside
>network (or at least on the other side of your gateway) has sent a
>with 127.0.0.1 as a source address to your network.
>This could be a result of deliberate spoofing, it could be a weak DoS
>attempt, or it could just be someone's system is broken and spewing
>The sending machine could be the ISP's gateway, or any part of your >ISPs
>network, or any part of the internet as a general whole.
>>Any ideas? any fellow sufferers?
>Firewall inbound packets with 127.0.0.1 as a source address?
Already done, but snort's NIC is in promiscuous mode, so it's getting
everything, even OUTSIDE the firewall traffic. This is usefull for
catching patterns of attempted attacks on the external machines.
Thanks for the feedback!
More information about the Snort-users