[c-nsp] traffic sourced from 127.0.0.1
Gert Doering
gert at greenie.muc.de
Mon Aug 30 16:11:27 EDT 2004
Hi,
On Mon, Aug 30, 2004 at 03:34:20PM -0400, Patrick Coppinger wrote:
> Anyone else notice an increase in traffic spoofed from 127.0.0.1 coming in
> Transit/Peering links since the 15th or so? Looks like worm scanning
> activity but I can't imagine how this would give the worm/trojan any
> feedback if responses never make it back to the source?
This is one of the Windows worms that attack web servers
(www.microsoft.com, if I remember correctly).
If the web server cannot be resolved (no DNS configured, whatever) the
"target IP" chosen is 127.0.0.1, with random source IPs. What you are
observing is quite likely the backscatter of this, source = 127.0.0.1, tcp
port 80, destination = random, port = random.
The *really* scary thing about this is not that yet another windows
computer is worm-infected, but that your peers do not bother to apply at
least some minimum anti-spoofing filtering towards their customers, and
inside their network. There is *no* good to forward packets sourced
by 127.0.0.1, and it reflects back on the overall security consciousness
in these networks.
(Some or the other RFC, AFAIR it's the hosts requirement RFC, explicitly
forbids putting packets with 127.0.0.x IP addresses on the wire, but
Microsoft doesn't know that...)
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany gert at greenie.muc.de
fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de
More information about the cisco-nsp
mailing list