Re: Solaris 7 installation is sending 127.0.0.0/8 addresses on the ethernet network...
From: John P. Eisenmenger (jpe@eisenmenger.org)
Date: 12/02/02
- Previous message: Jan-Philip Velders: "Re: Solaris 7 installation is sending 127.0.0.0/8 addresses on the ethernet network..."
- Maybe in reply to: Jan-Philip Velders: "Re: Solaris 7 installation is sending 127.0.0.0/8 addresses on the ethernet network..."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 2 Dec 2002 12:31:57 -0600 (CST) From: "John P. Eisenmenger" <jpe@eisenmenger.org> To: Michael Boman <michael.boman@securecirt.com>
On Thu, 28 Nov 2002, Michael Boman wrote:
> I grabbed the pcap output from our IDS that is sitting on a SPAN
> port. I've read the other replies that indicate that it's something
> wrong with the routing on the system itself, but as you can see from
> the ethereal dump the Sun system emits traffic with the source IP of
> 127.0.0.0/8, not the destination. Any other suggestions?
> # ifconfig -a
> lo0: flags=849<UP,LOOPBACK,RUNNING,MULTICAST> mtu 8232
> inet 127.0.0.1 netmask ff000000
> hme0: flags=863<UP,BROADCAST,NOTRAILERS,RUNNING,MULTICAST> mtu 1500
> inet 172.20.123.24 netmask ffffff00 broadcast 172.20.123.255
> ether 8:0:20:c4:ad:45
>
> # netstat -nr
>
> Routing Table:
> Destination Gateway Flags Ref Use Interface
> -------------------- -------------------- ----- ----- ------ ---------
> 172.20.123.0 172.20.123.24 U 3 31742 hme0
> 224.0.0.0 172.20.123.24 U 3 0 hme0
> default 172.20.123.1 UG 0 379177
The 127.0.0.75 address is the source address, so all the routing table
comments are headed down the wrong path. So we have to ask ourselves how
one can get a source address of 127.0.0.75...
What is strange is that I don't see that 127.0.0.75 address anywhere in
the Sun information you gave above. Anyway...
Option 1 - via bind()
This is the simplest option from an application point of view, but it
should not be possible to bind to an address that does not exist on the
system. It's been a while since I played with things like this on
Solaris, so maybe it makes an exception for addresses on the loopback
interface.. In any case, a "netstat -an | grep 127.0.0.5" should show
that address in use if a process is bound to it.
Option 2 - via raw net access.
The other option I can think of is some application that crafts the entire
IP portion of the packet and uses raw network access to deposit it onto
the wire. Why a normal application would do this, I have no earthly idea.
Any other ideas?
-John
-- John P. Eisenmenger jpe@eisenmenger.org
- Next message: bsec: "Crypt Setting"
- Previous message: Jan-Philip Velders: "Re: Solaris 7 installation is sending 127.0.0.0/8 addresses on the ethernet network..."
- Maybe in reply to: Jan-Philip Velders: "Re: Solaris 7 installation is sending 127.0.0.0/8 addresses on the ethernet network..."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
