RE: Localhost packets on WAN

From: James C Slora Jr (Jim.Slora_at_phra.com)
Date: 09/30/04

  • Next message: NESTING, DAVID M (SBCSI): "RE: Localhost packets on WAN"
    To: "'Kirby Angell'" <kangell@alertra.com>, "'Incidents List'" <incidents@securityfocus.com>
    Date: Wed, 29 Sep 2004 23:53:09 -0400
    
    

    I started receiving nearly identical packets on an external interface on
    September 22. Mine had a TTL of 125, but had the same trailers, localhost
    source address, etc.

    The target port on my network changed each time, but often repeated ports
    used earlier.

    These packets should not be arriving at your perimeter at all. They are not
    blowback from misguided Blaster or Nachi countermeasures as someone will
    undoubtedly suggest.

    Others have suggested possible compromise of the upstream gateway router.
    This seems plausible since ISPs typically do not configure their ACLs to
    allow such traffic to be routed.

    The packets stopped within an hour after I reported them to my upstream ISP.
    That seems to indicate a pretty high priority issue. Consider reporting it
    right away. Include the IP address of your upstream gateway if possible.


  • Next message: NESTING, DAVID M (SBCSI): "RE: Localhost packets on WAN"

    Relevant Pages

    • Re: fedoraproject.org down (ipv6 only)
      ... Once upon a time, Michael Cronenworth said: ... be my end though since others are reporting it working. ... $ traceroute6 fedoraproject.org ... byte packets ...
      (Fedora)
    • Re: Talking about Anniversaries ...
      ... every day) offered little coupons on each of their packets to collect ... UPS/FUNTO February stats: http://homepage.ntlworld.com/my.web.pages/stats/ ... Eleven years of reporting! ...
      (uk.people.silversurfers)
    • Re: When did I lost packets?
      ... packets and reporting a series of lost packets when none have been lost ... The two computers are connected through a Cisco Catalyst switch. ...
      (comp.os.linux.networking)
    • Re: [opensuse] Errors in firewall
      ... Hash: SHA1 ... or simply reporting some kind of error? ... packets are blocked and therefore logged. ... firewall. ...
      (SuSE)