[Snort-users] Re; loopback traffic
frank at ...9761...
Wed May 19 18:18:01 EDT 2004
On Wed, 2004-05-19 at 17:49, Richard Bejtlich wrote:
> I've checked firewall logs, and the kernel, of course, is spitting out
> "martian source" errors.. because packets from 127.0.0.1 should never
> be on the wire, right?
> I'm seeing these packets as well. They began appearing just after
> midnight GMT on 17 May 04 at one of my sites, but not others. A new
> alert just arrived a few minutes ago.
> The source port is 80 TCP and the destination ranges from 1012 to 1992
> TCP. They are all RST ACKs.
They just now started? Or are you just now starting to watch for loop
I've seen these since October last year. This appears to get asked every
couple months on this list, so here is again the usual reply (see
---8<---[forwarded without permission]--->8---
<dhanson at ...35...>
incidents at ...35...
source port 80?
Tue, 28 Oct 2003
I am posting this in the hopes of dulling the 5-6 messages I get every
that are reporting port scans to their network all of which have a
IP of 127.0.0.1 and source port 80.
It is likely Blaster (check your favourite AV site for a writeup, I
The reason that people are seeing this has to do with some very bad
that was given early in the blaster outbreak. The advice basically was
that to protect the Internet from the DoS attack that was to hit
windowsupdate.com, all DNS servers should return 127.0.0.1 for queries
windowsupdate.com. Essentially these suggestions were suggesting that
hosts should commit suicide to protect the Internet.
The problem is that the DoS routine spoofs the source address, so when
windowsupdate.com resolves to 127.0.0.1 the following happens.
Infected host picks address as source address and sends Syn packet to
127.0.0.1 port 80. (Sends it to itself) (This never makes it on the
you will not see this part)
TCP/IP stack receives packet, responds with reset (if there is nothing
listening on that port), sending the reset to the host with the spoofed
source address (this is what people are seeing and mistaking for
Result: It looks like a host is port scanning ephemeral posts using
packets with source address:port of 127.0.0.1:80
Solution: track back the packets by MAC address to find hte infected
machine. Turn of NS resolution of windowsupdate.com to 127.0.0.1.
Hope that helps
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 187 bytes
Desc: This is a digitally signed message part
More information about the Snort-users