RE: Localhost packets on WAN
From: James C Slora Jr (Jim.Slora_at_phra.com)
Date: 09/30/04
- Previous message: Kirby Angell: "Re: Localhost packets on WAN"
- In reply to: Kirby Angell: "Localhost packets on WAN"
- Next in thread: David Gillett: "RE: Localhost packets on WAN"
- Reply: David Gillett: "RE: Localhost packets on WAN"
- Reply: spainsecurity-s.navarro: "RE: Localhost packets on WAN"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: "'Kirby Angell'" <kangell@alertra.com>, "'Incidents List'" <incidents@securityfocus.com> Date: Wed, 29 Sep 2004 23:53:09 -0400
I started receiving nearly identical packets on an external interface on
September 22. Mine had a TTL of 125, but had the same trailers, localhost
source address, etc.
The target port on my network changed each time, but often repeated ports
used earlier.
These packets should not be arriving at your perimeter at all. They are not
blowback from misguided Blaster or Nachi countermeasures as someone will
undoubtedly suggest.
Others have suggested possible compromise of the upstream gateway router.
This seems plausible since ISPs typically do not configure their ACLs to
allow such traffic to be routed.
The packets stopped within an hour after I reported them to my upstream ISP.
That seems to indicate a pretty high priority issue. Consider reporting it
right away. Include the IP address of your upstream gateway if possible.
- Previous message: Kirby Angell: "Re: Localhost packets on WAN"
- In reply to: Kirby Angell: "Localhost packets on WAN"
- Next in thread: David Gillett: "RE: Localhost packets on WAN"
- Reply: David Gillett: "RE: Localhost packets on WAN"
- Reply: spainsecurity-s.navarro: "RE: Localhost packets on WAN"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
