Re: freebsd-security Digest, Vol 61, Issue 3
On Mon, 7 Jun 2004, Michael Vlasov wrote:
> On Sat, 29 May 2004 12:00:52 -0700 (PDT),
> <freebsd-security-request@freebsd.org> wrote:
>
> Hello !
>
> Today i see in snort logs :
>
> [**] [1:528:4] BAD-TRAFFIC loopback traffic [**]
> [Classification: Potentially Bad Traffic] [Priority: 2]
> 06/07-09:44:39.044590 127.0.0.1:80 -> 10.6.148.173:1566
> TCP TTL:128 TOS:0x0 ID:577 IpLen:20 DgmLen:40
> ***A*R** Seq: 0x0 Ack: 0x75830001 Win: 0x0 TcpLen: 20
> [Xref => http://rr.sans.org/firewall/egress.php]
>
> [**] [1:528:4] BAD-TRAFFIC loopback traffic [**]
> [Classification: Potentially Bad Traffic] [Priority: 2]
> 06/07-09:44:39.075824 127.0.0.1:80 -> 10.6.249.83:1299
> TCP TTL:128 TOS:0x0 ID:578 IpLen:20 DgmLen:40
> ***A*R** Seq: 0x0 Ack: 0x568A0001 Win: 0x0 TcpLen: 20
> [Xref => http://rr.sans.org/firewall/egress.php]
>
> [**] [1:528:4] BAD-TRAFFIC loopback traffic [**]
> [Classification: Potentially Bad Traffic] [Priority: 2]
> 06/07-09:44:39.107072 127.0.0.1:80 -> 10.6.96.121:1032
> TCP TTL:128 TOS:0x0 ID:579 IpLen:20 DgmLen:40
> ***A*R** Seq: 0x0 Ack: 0x37920001 Win: 0x0 TcpLen: 20
> [Xref => http://rr.sans.org/firewall/egress.php]
>
> Why ? ;-)
Ok, that means that someone (or thing) is spoofing packets to your box
(i know, and so does snort, that its spoofed because the source ip is
127.0.0.1 and its coming in on an interface apart from lo0) this is
sometimes used as a DoS attack (its one of those fun addresses to use as
source addresses for them), although, by the looks of it (because theres
multiple dst-ports being used), someone is using a program like nmap to
portscan your host using a spoofed ip
~Neo-Vortex
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
討論串 (同標題文章)
完整討論串 (本文為第 2 之 3 篇):