Solaris 7 installation is sending 127.0.0.0/8 addresses on the ethernet network...

From: Michael Boman (michael.boman@securecirt.com)
Date: 11/26/02

Next message: Jan-Philip Velders: "Re: Solaris 7 installation is sending 127.0.0.0/8 addresses on the ethernet network..."

Previous message: Gideon Rasmussen, CISSP: "Solaris Hardening Document"
Next in thread: Jan-Philip Velders: "Re: Solaris 7 installation is sending 127.0.0.0/8 addresses on the ethernet network..."
Reply: Jan-Philip Velders: "Re: Solaris 7 installation is sending 127.0.0.0/8 addresses on the ethernet network..."
Reply: Jon: "Re: Solaris 7 installation is sending 127.0.0.0/8 addresses on the ethernet network..."
Reply: Lupe Christoph: "Re: Solaris 7 installation is sending 127.0.0.0/8 addresses on the ethernet network..."
Maybe reply: Michael Boman: "Re: Solaris 7 installation is sending 127.0.0.0/8 addresses on the ethernet network..."
Reply: Matt Harris: "Re: Solaris 7 installation is sending 127.0.0.0/8 addresses on the ethernet network..."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Tue, 26 Nov 2002 15:41:28 +0800
From: Michael Boman <michael.boman@securecirt.com>
To: focus-sun@securityfocus.com

Hi there,

I have a Solaris 7 (sparc) installation, with the recomended patch-batch
installed. This particular installation emits 127.0.0.x addresses on
the ethernet, and I wonder if anyone has any pointers what could cause
this. (ip addresses has changed to protect the guilty).

# ifconfig -a
lo0: flags=849<UP,LOOPBACK,RUNNING,MULTICAST> mtu 8232
        inet 127.0.0.1 netmask ff000000
hme0: flags=863<UP,BROADCAST,NOTRAILERS,RUNNING,MULTICAST> mtu 1500
        inet 172.20.123.24 netmask ffffff00 broadcast 172.20.123.255
        ether 8:0:20:c4:ad:45

# netstat -nr

Routing Table:
Destination Gateway Flags Ref Use Interface
-------------------- -------------------- ----- ----- ------ ---------
172.20.123.0 172.20.123.24 U 3 31742 hme0
224.0.0.0 172.20.123.24 U 3 0 hme0
default 172.20.123.1 UG 0 379177
127.0.0.1 127.0.0.1 UH 0 84159 lo0

Here is a text dump from Ethereal that displays the offensive packets:

Frame 1 (60 on wire, 60 captured)
    Arrival Time: Nov 22, 2002 11:39:49.573028000
    Time delta from previous packet: 0.000000000 seconds
    Time relative to first packet: 0.000000000 seconds
    Frame Number: 1
    Packet Length: 60 bytes
    Capture Length: 60 bytes
Ethernet II
    Destination: 00:00:0c:07:ac:02 (Cisco_07:ac:02)
    Source: 08:00:20:c4:ad:45 (Sun_c4:ad:45)
    Type: IP (0x0800)
    Trailer: 55555555555555555555555555555555...
Internet Protocol, Src Addr: 127.0.0.75 (127.0.0.75), Dst Addr: 108.122.0.0 (108.122.0.0)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x07 (DSCP 0x01: Unknown DSCP; ECN: 0x03)
        0000 01.. = Differentiated Services Codepoint: Unknown (0x01)
        .... ..1. = ECN-Capable Transport (ECT): 1
        .... ...1 = ECN-CE: 1
    Total Length: 20
    Identification: 0xe7c9
    Flags: 0x04
        .1.. = Don't fragment: Set
        ..0. = More fragments: Not set
    Fragment offset: 0
    Time to live: 255
    Protocol: IPv6 hop-by-hop option (0x00)
    Header checksum: 0xa853 (correct)
    Source: 127.0.0.75 (127.0.0.75)
    Destination: 108.122.0.0 (108.122.0.0)

Please advice.

Best regards
Michael Boman

-- 
Michael Boman
Security Architect, SecureCiRT (A SBU of Z-Vance Pte Ltd)
http://www.securecirt.com

application/pgp-signature attachment: stored

Next message: Jan-Philip Velders: "Re: Solaris 7 installation is sending 127.0.0.0/8 addresses on the ethernet network..."
Previous message: Gideon Rasmussen, CISSP: "Solaris Hardening Document"
Next in thread: Jan-Philip Velders: "Re: Solaris 7 installation is sending 127.0.0.0/8 addresses on the ethernet network..."
Reply: Jan-Philip Velders: "Re: Solaris 7 installation is sending 127.0.0.0/8 addresses on the ethernet network..."
Reply: Jon: "Re: Solaris 7 installation is sending 127.0.0.0/8 addresses on the ethernet network..."
Reply: Lupe Christoph: "Re: Solaris 7 installation is sending 127.0.0.0/8 addresses on the ethernet network..."
Maybe reply: Michael Boman: "Re: Solaris 7 installation is sending 127.0.0.0/8 addresses on the ethernet network..."
Reply: Matt Harris: "Re: Solaris 7 installation is sending 127.0.0.0/8 addresses on the ethernet network..."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: Embedded ethernet advice.
... > But when an ethernet and a tcp/ip stack is added, ... packaged up into bundles called packets, a header is tacked onto the ... beginning of each packet, and the packet moves as one piece across the ... get at the IP packet to get at the TCP packet to get at your byte. ...
(comp.arch.embedded)
Re: ARP - IP but why?
... The Network layer keeps track of logical addresses, and Ethernet handles delivery to a specific device. ... Since an IP address can be assigned to any ethernet device, it is utilized to associate an IP address to a real-world computer, printer, whatever. ... Once the network layer builds the TCP packet with a destination IP address, it hands it down to the link layer. ...
(comp.os.linux.networking)
Re: Polling For 100 mbps Connections? (Was Re: Freebsd Theme Song)
... Polling For 100 mbps Connections? ... from the network into the ethernet receiver. ... It takes a certain amount of time to get the packet out of ... not in the ethernet driver code. ...
(freebsd-questions)
Re: AFP protocol
... I met, in the 1980s, plenty of workstations hooked up to Ethernet ... reasonable sized black coax cables that use BNC sockets, ... and another 500m off each repeater. ... The 64 byte minimum packet size for Ethernet, the 1500m limit, and the ...
(uk.comp.sys.mac)
Re: DHCP serving more than one subnet (longish)
... DHCP packets are really ethernet packets whose contents are formatted as TCPIP ... packets to allow a host's ethernet layer to pass the packet onto the TCPIP stack. ... The response from the server is sent as an ethernet packet adressed ...
(comp.os.vms)