[Snort-users] loopback traffic
j.riden at ...11179...
Wed May 19 16:53:01 EDT 2004
Matt Kettler <mkettler at ...4108...> writes:
> So, basically what you can conclude is that someone, somewhere outside
> your network (or at least on the other side of your gateway) has sent
> a packet with 127.0.0.1 as a source address to your network.
> This could be a result of deliberate spoofing, it could be a weak DoS
> attempt, or it could just be someone's system is broken and spewing
> malformed packets.
I think you could also do it if some machines were doing source
routing, but I'd hope that everyone has turned that off by now.
> The sending machine could be the ISP's gateway, or any part of your
> ISPs network, or any part of the internet as a general whole.
>>Any ideas? any fellow sufferers?
> Firewall inbound packets with 127.0.0.1 as a source address?
127/8, and 10/8 and 192.168/16, etc. - see RFC1918. And definitely
filter anything outbound with invalid source addresses too, please.
If you're using NAT with one of these networks, adjust as appropriate.
James Riden / j.riden at ...11179... / Systems Security Engineer
Information Technology Services, Massey University, NZ.
GPG public key available at: http://www.massey.ac.nz/~jriden/
More information about the Snort-users