[Snort-users] loopback traffic

James Riden j.riden at ...11179...
Wed May 19 16:53:01 EDT 2004


Matt Kettler <mkettler at ...4108...> writes:

> So, basically what you can conclude is that someone, somewhere outside
> your network (or at least on the other side of your gateway) has sent
> a packet with 127.0.0.1 as a source address to your network.
>
> This could be a result of deliberate spoofing, it could be a weak DoS
> attempt, or it could just be someone's system is broken and spewing
> malformed packets.

I think you could also do it if some machines were doing source
routing, but I'd hope that everyone has turned that off by now.

> The sending machine could be the ISP's gateway, or any part of your
> ISPs network, or any part of the internet as a general whole.
>
>>Any ideas? any fellow sufferers?
>
> Firewall inbound packets with 127.0.0.1 as a source address?

127/8, and 10/8 and 192.168/16, etc. - see RFC1918. And definitely
filter anything outbound with invalid source addresses too, please.

If you're using NAT with one of these networks, adjust as appropriate.

cheers,
 Jamie
-- 
James Riden / j.riden at ...11179... / Systems Security Engineer
Information Technology Services, Massey University, NZ.
GPG public key available at: http://www.massey.ac.nz/~jriden/






More information about the Snort-users mailing list