[snort] BAD-TRAFFIC loopback traffic 4.9-PRE
Kris Kennaway
kris at obsecurity.org
Mon Sep 22 10:29:48 PDT 2003
On Mon, Sep 22, 2003 at 01:38:30PM +0300, Pertti Kosunen wrote:
> >> What could cause this loopback traffic?
> >
> > Forged source address on a network with no egress filtering.
> >
> > Kris
>
> Ok i put the ipfw on with the default simple mode.
> ipfw -a l
> 00100 0 0 allow ip from any to any via lo0
> 00200 0 0 deny ip from any to 127.0.0.0/8
> 00300 0 0 deny ip from 127.0.0.0/8 to any
> ...
>
> Still get this:
> tcpdump: listening on xl0
> 12:51:15.736517 0:90:1a:40:1f:db 0:50:da:ca:61:e9 0800 60: 127.0.0.1.80 >
> out.ip.1165: R 0:0(0) ack 1416364033 win 0
> 12:51:19.092168 0:90:1a:40:1f:db 0:50:da:ca:61:e9 0800 60: 127.0.0.1.80 >
> out.ip.1284: R 0:0(0) ack 72679425 win 0
> 12:52:32.717702 0:90:1a:40:1f:db 0:50:da:ca:61:e9 0800 60: 127.0.0.1.80 >
> out.ip.1667: R 0:0(0) ack 1243086849 win 0
>
> 0:90:1a:40:1f:db Is default gateways (ISP) mac address, xl0 0:50:da:ca:61:e9
> is my outside net card.
>
> Is this normal traffic and what i should check next?
Yes, and ipfw should be denying the packets. Is it not doing so?
Note that you'll still see them on the wire from the external network,
because ipfw can't make the packets disappear en route into the
machine, it can only deny them once they get there.
Kris
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-stable/attachments/20030922/0538362d/attachment.bin
More information about the freebsd-stable
mailing list