November 29th, 2003 05:23 PM
network reporting strange local loopback activity
I have a small home network consisting of two computers. My host machine is running a software firewall called kerio, it comes with built in IDS. I set up my client machine with a syslog daemon to capture my firewall logs.
My logs are being filled with "BAD-TRAFFIC loopback traffic" and port scans. This seems to me to be a missconfiguration somewhere.
I searched google and found dozens of posts regarding these alerts, but non of the responces made sence to me or fully answered the question,
some said it was a mis configured DHCP, and this makes some sence because my ISP uses that, but others refered to a link regarding egress,
I don't fully understand what is going on and what I can do to reduce the amount of allerts.
Ive attached a copy of my log, can some please explain to me whats going on.
November 29th, 2003 05:44 PM
Just guessing here based on what info is in the logs but looks like an attempt to "spoof" using private addressing or localhost addressing. The first set of queries (ICMP PING CyberKit 2.2 Windows) might be Nachia or a similar worm. (see this for more info: http://vil.nai.com/vil/content/v_100559.htm ). The spoofed packets might also be the propogation effects of the worm.
November 29th, 2003 06:09 PM
I agree with MsMittens,
It's probably spoofing of the ip-address , it gets explained even when you follow the link that you can find in the log " http://rr.sans.org/firewall/egress.php " it explains what egress filtering is and also explains what spoofing is (to some extend).
But the packets get dropped as you can also see in the log so I asume your safe, but better find out where it's comming from just to be sure..;if it's from outside you network you're probably safe .
So I just wanted to say I agreed
Back when I was a boy, we carved our own IC's out of wood.
November 29th, 2003 06:49 PM
Thanks for this info, I was unaware someone or a worm could spoof themselfs to look like my network. Im sure glad they are being dropped then. It dose not make sence however why the port scans are being alowed.
tracert on 18.104.22.168 reported belonging to a uunet, my isp owns 22.214.171.124 - 126.96.36.199, I think the port scans are external, it concerns me that these scans are being permited.
I finaly downloaded adobe acrobatic reader, which is why I was unable to read the paper from sans last night discribeing the local loopback reports, but I think I am understanding now. So realy there is nothing I can do then since it is not belonging to my network, corect?
Thanks for all the help.
November 29th, 2003 06:53 PM
Sure there is. You could still file a complaint with the ISP it comes from. Some isps may inform their users of infection. Can't hurt but might help. At worse they will do nothing. At best they will help the user.
November 29th, 2003 07:41 PM
Thanks, I will send a report to the isp, and let them deal with it, I just send a copy of the log and a brief explanation corect?
November 29th, 2003 09:46 PM
Ya. Generally that's what I do. They may or may not respond but at least you warned them.