RE: Localhost packets on WAN
From: James C Slora Jr (Jim.Slora_at_phra.com)
To: "'Kirby Angell'" <firstname.lastname@example.org>, "'Incidents List'" <email@example.com> Date: Wed, 29 Sep 2004 23:53:09 -0400
I started receiving nearly identical packets on an external interface on
September 22. Mine had a TTL of 125, but had the same trailers, localhost
source address, etc.
The target port on my network changed each time, but often repeated ports
These packets should not be arriving at your perimeter at all. They are not
blowback from misguided Blaster or Nachi countermeasures as someone will
Others have suggested possible compromise of the upstream gateway router.
This seems plausible since ISPs typically do not configure their ACLs to
allow such traffic to be routed.
The packets stopped within an hour after I reported them to my upstream ISP.
That seems to indicate a pretty high priority issue. Consider reporting it
right away. Include the IP address of your upstream gateway if possible.