Re: ZoneAlarm log shows probes *from* 127.0.0.1 ?
From: David (davidwnh_at_adelphia.net)
Date: 10/06/03
- Next message: danielrm26: "DMZ"
- Previous message: David: "Re: linksys router logviewer alternative"
- In reply to: Peter: "Re: ZoneAlarm log shows probes *from* 127.0.0.1 ?"
- Next in thread: David: "Re: ZoneAlarm log shows probes *from* 127.0.0.1 ?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 06 Oct 2003 12:19:49 GMT
Generally with this type of thing you will get more hits from more localized
machines. Many of these worms/bots etc. choose local subnet destination
addresses and for those that are more random in their selection, the more
routers the traffic has to go through the more chances there are that it
will get filtered in one that uses egress filters on the loopback address.
My guess is that packets you saw with TTL's of 126 were from other dial-up
users from the same ISP. So it may have to do with you being online at the
same time that one of these infected machines is.
>
> But unlike with MS-Blaster where I always get hits appearing in the
> firewall log, this only happens sometimes... thinking about it, it might
> be where the previous owner the IP address I've been allocated has been
> doing something or connecting to something strange!
> That may explain why it doesn't always happen.
>
It's actually a good question. There are certain aspects of their stacks
that are or in the past were not RFC standard. I think in regards to this
particular characteristic their stacks are compliant. I personally haven't
seen any information to the contrary at least.
>
> Its got a Microsoft stack - does that count? (don't answer that!)
>
> > In all I don't whether ZA is blocking the packets due to them being
spoofed,
> > or simply because there is no open socket or listening server related to
> > them. You would think that if it was due to spoof protection that the
> > developers would be smart enough to have this indicated in alerts or log
> > entries. Use a port listener,bind it to port 80 on the loopback, play
around
> > with ZA's application control settings for the listener and you will
find
> > out.
>
Without the loopback address as trusted this is what one would expect. You
have to put the loopback address in the trusted zone to run a VPN client or
a proxy that listens on the loopback. This is what I would question. If you
were forced to put the loopback address in the trusted zone for something
like a VPN client, is ZA smart enough to know that traffic that "physically"
comes in on your internet facing adapter using the loopback address as a
source is spoofed? This is something you can't test on the machine itself.
You would have to test it by sending traffic from a remote machine because
it is something that is caught by inspecting the information in the data
link layer.
>
> As regards ZoneAlarm blocking or not, I *think* its safe! I set up a
> listener on port 23012 (picked out of hat) and tried to connect to it
> (localhost:23012) and ZoneAlarm did block it.
>
- Next message: danielrm26: "DMZ"
- Previous message: David: "Re: linksys router logviewer alternative"
- In reply to: Peter: "Re: ZoneAlarm log shows probes *from* 127.0.0.1 ?"
- Next in thread: David: "Re: ZoneAlarm log shows probes *from* 127.0.0.1 ?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
