RE: Bad Loopback packets

["Tarun Bhushan" <tarun.bhushan () macquarie com>]

Very likely it is one or more Blaster infected Windows machines. The
host(s) could have a HOSTS file entry pointing to 127.0.01 for
windowsupdate.com (as was recommended by some media articles at the time
of Blaster), or could potentially be a DNS entry with this resolution.

For more details, see
http://www.securityfocus.com/archive/75/342726/2003-10-24/2003-10-30/0.

Regards
Tarun

-----Original Message-----
From: Neil Dickey [mailto:neil () geol niu edu]
Sent: Friday, 23 April 2004 5:10 AM
To: incidents () securityfocus com
Subject: Bad Loopback packets


We've been seeing what Snort calls "bad loopback traffic" in our
university network for perhaps a week and a half now, and we've
had no luck in tracking down the source much less figuring out
what is generating it.

Here's what the packets look like:

[**] [1:528:3] BAD TRAFFIC loopback traffic [**]
[Classification: Potentially Bad Traffic] [Priority: 2] 
04/21-16:17:39.669986 0:A:BB:CC:DD:EE -> 0:FF:GG:HH:II:JJ type:0x800
len:0x3C
127.0.0.1:80 -> 131.156.XX.YYY:1903 TCP TTL:125 TOS:0x0 ID:323 IpLen:20
DgmLen:40
***A*R** Seq: 0x0  Ack: 0x474A0001  Win: 0x0  TcpLen: 20
[Xref => http://rr.sans.org/firewall/egress.php]

The MAC addresses and part of the target address are obfuscated.

My sensor is located within a subnet of the university network,
and the MAC address of the "source" is that of our subnet border
router.  The packets do not, therefore, originate from within
our subnet.  Conversations with other sysops indicate that these
packets are observed more-or-less everywhere within the university
network.

The target ports vary between 1000 and 2000 exclusively, with the
lowest number I have seen being 1002 and the highest 1999.  The
source port is always 80, and the packets are always ACK-RST.  The
window size is always zero.

Traffic can be spotty.  We may see lots of these for a couple of
days, followed by none at all for most of a day, and then it will
pick up again.

Target machines include unix boxes, Macs, and PCs.  Boxes which
are most active on the network receive more of these packets than
do others.  For instance, our mail server has received 501 since
early Sunday morning, and one of our webservers 217, while a
typical PC got 15 during the same interval.  About half the
machines in our subnet have received none at all.

I don't know why loopback traffic is being allowed to pass our
internal routers; in any event I have no control over them.  It
is possible there is something here I don't understand, but it
seems to me that such traffic shouldn't be allowed out of or into
a subnet -- much less in through our border routers, if that's
where it's coming from.

I have tried Google, and what I find is other people asking the
same question, but few answers.  One such suggested that these
packets could be a sort of recon, but I don't see how:  Any
response generated by the probed box would never get back to
the source.

I would be most grateful if anyone could explain what's happening
here.

Best regards,

Neil Dickey, Ph.D.
Research Associate/Sysop
Geology Department
Northern Illinois University
DeKalb, Illinois
60115

------------------------------------------------------------------------
---
------------------------------------------------------------------------
----



NOTICE
This e-mail and any attachments are confidential and may contain copyright material of Macquarie Bank or third parties. 
If you are not the intended recipient of this email you should not read, print, re-transmit, store or act in reliance 
on this e-mail or any attachments, and should destroy all copies of them. Macquarie Bank does not guarantee the 
integrity of any emails or any attached files. The views or opinions expressed are the author's own and may not reflect 
the views or opinions of Macquarie Bank.


---------------------------------------------------------------------------
----------------------------------------------------------------------------