Localhost packets on WAN

From: Kirby Angell (kangell_at_alertra.com)
Date: 09/29/04

  • Next message: Martin Mačok: "data payload in SYN (Re: DoS/DDoS on port 1863(MSN protocol))" 
    Date: Wed, 29 Sep 2004 00:37:40 -0500
To: Incidents List <incidents@securityfocus.com>

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    Once on the 26th and 8 times today we received packets from 127.0.0.1:80
    to an ephemeral port on one of our WAN IPs. The one on the 26th was
    odd, but the ones today were very similar. They came in pairs, usually
    about 10 minutes apart for each packet in the pair. The pairs were
    about 1 hour apart.

    The TTLs are all 121 which I make for a Windows box about 7 hops away.
    The packets today all looked almost identical to the one at the end of
    this message. The only differences are the ID field and the ephemeral
    port the packet went to. They all have the RST/ACK flags set. I
    checked a few of them, and there was no other traffic to/from that port
    anywhere near the time the bogus packets came in.

    I'm going to be checking in the morning to see what my firewall would do
    with these sorts of packets, hopefully it is just throwing them away.
    Any ideas on what this is about? Some sort of recon, or other precursor
    to something I won't like?

    No. Time Source Destination
    ~ Protocol Info
    ~ 4 2004-09-28 17:14:32.558443 127.0.0.1 WAN_IP
    TCP http > 1245 [RST, ACK] Seq=0 Ack=0 Win=0 Len=0

    Frame 4 (60 bytes on wire, 60 bytes captured)
    ~ Arrival Time: Sep 28, 2004 17:14:32.558443000
    ~ Time delta from previous packet: 1835.696862000 seconds
    ~ Time since reference or first frame: 185412.560781000 seconds
    ~ Frame Number: 4
    ~ Packet Length: 60 bytes
    ~ Capture Length: 60 bytes
    Ethernet II, Src: 00:b0:64:2f:64:c1, Dst: 00:0e:db:00:1b:15
    ~ Destination: 00:0e:db:00:1b:15 (Xincom_00:1b:15)
    ~ Source: 00:b0:64:2f:64:c1 (Cisco_2f:64:c1)
    ~ Type: IP (0x0800)
    ~ Trailer: 000000000000
    Internet Protocol, Src Addr: 127.0.0.1 (127.0.0.1), Dst Addr: WAN_IP
    (WAN_IP)
    ~ Version: 4
    ~ Header length: 20 bytes
    ~ Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
    ~ 0000 00.. = Differentiated Services Codepoint: Default (0x00)
    ~ .... ..0. = ECN-Capable Transport (ECT): 0
    ~ .... ...0 = ECN-CE: 0
    ~ Total Length: 40
    ~ Identification: 0x9d01 (40193)
    ~ Flags: 0x00
    ~ 0... = Reserved bit: Not set
    ~ .0.. = Don't fragment: Not set
    ~ ..0. = More fragments: Not set
    ~ Fragment offset: 0
    ~ Time to live: 121
    ~ Protocol: TCP (0x06)
    ~ Header checksum: 0xfff1 (correct)
    ~ Source: 127.0.0.1 (127.0.0.1)
    ~ Destination: WAN_IP (WAN_IP)
    Transmission Control Protocol, Src Port: http (80), Dst Port: 1245
    (1245), Seq: 0, Ack: 0, Len: 0
    ~ Source port: http (80)
    ~ Destination port: 1245 (1245)
    ~ Sequence number: 0 (relative sequence number)
    ~ Acknowledgement number: 0 (relative ack number)
    ~ Header length: 20 bytes
    ~ Flags: 0x0014 (RST, ACK)
    ~ 0... .... = Congestion Window Reduced (CWR): Not set
    ~ .0.. .... = ECN-Echo: Not set
    ~ ..0. .... = Urgent: Not set
    ~ ...1 .... = Acknowledgment: Set
    ~ .... 0... = Push: Not set
    ~ .... .1.. = Reset: Set
    ~ .... ..0. = Syn: Not set
    ~ .... ...0 = Fin: Not set
    ~ Window size: 0
    ~ Checksum: 0x9817 (correct)

    - --
    Thank you,

    Kirby Angell
    Get notified anytime your website goes down!
    http://www.alertra.com
    key: 9004F4C0
    fingerprint: DD7E E88D 7F50 2A1E 229D 836A DB5B A751 9004 F4C0
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.2.4 (GNU/Linux)

    iD8DBQFBWkok21unUZAE9MARAi3uAKCCPnuPxPpjNb8Ly7nrLGQgeSmx+gCfVnW+
    jaWle8DnH+0n5ZZbtiToH5I=
    =J2PH
    -----END PGP SIGNATURE-----

  • Next message: Martin Mačok: "data payload in SYN (Re: DoS/DDoS on port 1863(MSN protocol))"

    Relevant Pages

    • Re: Help Interpreting data from Wireshark
      ... What concerns me is that the packet seemed to have a source address of 192.168.1.1 but later in the packet you see the dest as 84.160.95.226 ... Protocol Info ... DENVER.local ICMP Destination unreachable (Port unreachable) ... Fragment offset: 0 ...
      (comp.os.linux.security)
    • Sygate Firewall warning
      ... Ethernet II (Packet Length: 76) ... Internet Protocol ... Header checksum: 0x76cd ... Source port: 1161 ...
      (alt.computer.security)
    • Re: mystery martian source from 127.0.0.1 - more details
      ... 2005 22:33:57.-11226009 Time delta from previous packet: 0.000000000 seconds Time since reference or first frame: 0.000000000 seconds Frame Number: 1 Packet Length: 60 bytes Capture Length: 60 bytes Protocols in frame: eth:ip:tcp ... Bad: False Source: 127.0.0.1 Destination: 80.219.238.182 Transmission Control Protocol, Src Port: http, Dst Port: ...
      (comp.os.linux.security)
    • FW: IANA Reserved IP Source scans 55808
      ... same Source Port and Same destination port. ... Time delta from previous packet: ... Protocol: TCP ... Header checksum: 0x4f0b ...
      (Incidents)
    • Re: Unknown Data Sent After Initial IP Connection
      ... mechanisms of the windoze browser model. ... It ends with a 'Microsoft Windows Browser Protocol ... > Time delta from previous packet: ... > User Datagram Protocol, Src Port: nbdatagram, Dst Port: ...
      (comp.security.firewalls)