[c-nsp] traffic sourced from 127.0.0.1
Patrick Coppinger
pcoppinger at corp.earthlink.net
Mon Aug 30 15:34:20 EDT 2004
Anyone else notice an increase in traffic spoofed from 127.0.0.1 coming in
Transit/Peering links since the 15th or so? Looks like worm scanning
activity but I can't imagine how this would give the worm/trojan any
feedback if responses never make it back to the source?
In this example A.B. is a class B of customer space
RouterA(config-if)#interface POS6/1
RouterA(config-if)#ip access-group 127 in
RouterA(config-if)#^Z
RouterA#clear access-list counters
RouterA#sho access-list 127
Extended IP access list 127
permit ip 127.0.0.0 0.0.0.255 any log-input (159 matches)
permit ip any any (26 matches)
Aug 30 19:27:08.771 UTC: %SEC-6-IPACCESSLOGP: list 127 permitted tcp
127.0.0.1(0) (POS6/1 ) -> A.B.153.103(0), 1 packet
Aug 30 19:27:09.771 UTC: %SEC-6-IPACCESSLOGP: list 127 permitted tcp
127.0.0.1(0) (POS6/1 ) -> A.B.51.172(0), 1 packet
Aug 30 19:27:10.794 UTC: %SEC-6-IPACCESSLOGP: list 127 permitted tcp
127.0.0.1(0) (POS6/1 ) -> A.B.54.11(0), 1 packet
Aug 30 19:27:11.794 UTC: %SEC-6-IPACCESSLOGP: list 127 permitted tcp
127.0.0.1(0) (POS6/1 ) -> A.B.53.194(0), 1 packet
Patrick Coppinger
Network Engineer, CCNP
Earthlink, Inc
More information about the cisco-nsp
mailing list