Source: 127.0.0.1:80 -> Destination: my.inet.ip: ports ~1025-1999>From snorts alert log file, these come ~1000 in a day:[**] [1:528:4] BAD-TRAFFIC loopback traffic [**] [Classification: Potentially Bad Traffic] [Priority: 2] 09/19-22:52:46.419992 127.0.0.1:80 -> my.inet.ip:1821 TCP TTL:127 TOS:0x0 ID:13627 IpLen:20 DgmLen:40 ***A*R** Seq: 0x0 Ack: 0x59780001 Win: 0x0 TcpLen: 20 [Xref => http://rr.sans.org/firewall/egress.php] What could cause this loopback traffic? Box has no firewall and this happens even if only default ssh-server listen network (limited to listen only local network with hosts.allow). Cvsupped few days ago and had no effect. tcpdump -e -i xl0 -n host 127.0.0.1 Shows this traffic. tcpdump -e -i lo0 Shows nothing.
On Sat, Sep 20, 2003 at 08:04:46PM +0300, Pertti Kosunen wrote:> Source: 127.0.0.1:80 -> Destination: my.inet.ip: ports ~1025-1999 > > >From snorts alert log file, these come ~1000 in a day: > [**] [1:528:4] BAD-TRAFFIC loopback traffic [**] > [Classification: Potentially Bad Traffic] [Priority: 2] > 09/19-22:52:46.419992 127.0.0.1:80 -> my.inet.ip:1821 > TCP TTL:127 TOS:0x0 ID:13627 IpLen:20 DgmLen:40 > ***A*R** Seq: 0x0 Ack: 0x59780001 Win: 0x0 TcpLen: 20 > [Xref => http://rr.sans.org/firewall/egress.php] > > What could cause this loopback traffic?Forged source address on a network with no egress filtering. Kris -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 187 bytes Desc: not available Url : http://lists.freebsd.org/pipermail/freebsd-stable/attachments/20030920/d56e00d4/attachment.bin
>> What could cause this loopback traffic? > > Forged source address on a network with no egress filtering. > > KrisOk i put the ipfw on with the default simple mode. ipfw -a l 00100 0 0 allow ip from any to any via lo0 00200 0 0 deny ip from any to 127.0.0.0/8 00300 0 0 deny ip from 127.0.0.0/8 to any ... Still get this: tcpdump: listening on xl0 12:51:15.736517 0:90:1a:40:1f:db 0:50:da:ca:61:e9 0800 60: 127.0.0.1.80 > out.ip.1165: R 0:0(0) ack 1416364033 win 0 12:51:19.092168 0:90:1a:40:1f:db 0:50:da:ca:61:e9 0800 60: 127.0.0.1.80 > out.ip.1284: R 0:0(0) ack 72679425 win 0 12:52:32.717702 0:90:1a:40:1f:db 0:50:da:ca:61:e9 0800 60: 127.0.0.1.80 > out.ip.1667: R 0:0(0) ack 1243086849 win 0 0:90:1a:40:1f:db Is default gateways (ISP) mac address, xl0 0:50:da:ca:61:e9 is my outside net card. Is this normal traffic and what i should check next?