[nsp] Re: 127.0.0.0/8 unroutable?

brian.dewyngaert at equant.com brian.dewyngaert at equant.com
Wed Nov 12 05:32:10 EST 2003 

> There's some backing to it, though.  Either the host or router
> requirements RFC (forgot which one) states absolutely clearly that 
> these addresses MUST NOT appear on the wire.

>Yeah, I guess that's why I'm seeing lots of this right now :-)

Not sure why it happens that 127.0.0.1 src'd traffic can make it beyond 
the localhost.  But this info was found to help us when we started seeing 
a flood of packets src'd 127.0.0.1 on our internal network.. the info 
below came from an exerpt from an a colleagues email.
HTH solve your strange traffic issues

Dear All,

Seems Microsoft solved the situation of the worm themselves.

They updated the record of "windowsupdate.com" (finally the only hostname
used by msblast).
Now this DNS name cannot be resolved, which blocks msblast from flooding.

According to the mailing-lists I subscribed, some persons faced other
situations.
It seems if msblast receives localhost value (127.0.0.1) as answer for
windowsupdate.com reword, it will flood its LAN spoofing with localhost IP
address.

So I encourage the following actions:
         - Internally to update windowsupdate.com record to answer no IP
address upon query.
         - Since we dont know if Microsoft solved the issue, keep the
windowsupdate.com record on our Corporate DNS
         - Remove the windowsupdate.microsoft.com that is confirmed by 
many
as not used of the msblast worm



Brian J DeWyngaert Jr
SECOPS - Security Operations
Equant - Security Incident Response Team
Phone:             +1 703 471 3309
Fax:                   +1 703 471 2600
http://www.equant.com

Ce message et les documents qui peuvent y être joints sont confidentiels 
et destinés uniquement à l'usage de leur(s) destinataire(s).  Si vous avez 
reçu ce message par erreur, vous n'êtes pas autorisé à lire, utiliser, 
copier, divulguer ou faire suivre à quiconque les informations qu'il 
contient.  En conséquence, nous vous prions de bien vouloir immédiatement 
détruire ce message, ainsi que les documents qui y sont joints.

More information about the cisco-nsp mailing list