Results 1 to 7 of 7

Thread: network reporting strange local loopback activity

  1. #1
    Senior Member
    Join Date
    Feb 2003
    Posts
    282

    network reporting strange local loopback activity

    I have a small home network consisting of two computers. My host machine is running a software firewall called kerio, it comes with built in IDS. I set up my client machine with a syslog daemon to capture my firewall logs.

    My logs are being filled with "BAD-TRAFFIC loopback traffic" and port scans. This seems to me to be a missconfiguration somewhere.

    I searched google and found dozens of posts regarding these alerts, but non of the responces made sence to me or fully answered the question,

    some said it was a mis configured DHCP, and this makes some sence because my ISP uses that, but others refered to a link regarding egress,

    I don't fully understand what is going on and what I can do to reduce the amount of allerts.

    Ive attached a copy of my log, can some please explain to me whats going on.

  2. #2
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,323
    Just guessing here based on what info is in the logs but looks like an attempt to "spoof" using private addressing or localhost addressing. The first set of queries (ICMP PING CyberKit 2.2 Windows) might be Nachia or a similar worm. (see this for more info: http://vil.nai.com/vil/content/v_100559.htm ). The spoofed packets might also be the propogation effects of the worm.






    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  3. #3
    Senior Member Cemetric's Avatar
    Join Date
    Oct 2002
    Posts
    491
    I agree with MsMittens,

    It's probably spoofing of the ip-address , it gets explained even when you follow the link that you can find in the log " http://rr.sans.org/firewall/egress.php " it explains what egress filtering is and also explains what spoofing is (to some extend).
    But the packets get dropped as you can also see in the log so I asume your safe, but better find out where it's comming from just to be sure..;if it's from outside you network you're probably safe .

    So I just wanted to say I agreed
    Back when I was a boy, we carved our own IC's out of wood.

  4. #4
    Senior Member
    Join Date
    Feb 2003
    Posts
    282
    Thanks for this info, I was unaware someone or a worm could spoof themselfs to look like my network. Im sure glad they are being dropped then. It dose not make sence however why the port scans are being alowed.

    tracert on 208.254.46.52 reported belonging to a uunet, my isp owns 24.100.0.0 - 24.102.255.255, I think the port scans are external, it concerns me that these scans are being permited.

    I finaly downloaded adobe acrobatic reader, which is why I was unable to read the paper from sans last night discribeing the local loopback reports, but I think I am understanding now. So realy there is nothing I can do then since it is not belonging to my network, corect?

    Thanks for all the help.

  5. #5
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,323
    Sure there is. You could still file a complaint with the ISP it comes from. Some isps may inform their users of infection. Can't hurt but might help. At worse they will do nothing. At best they will help the user.
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  6. #6
    Senior Member
    Join Date
    Feb 2003
    Posts
    282
    Thanks, I will send a report to the isp, and let them deal with it, I just send a copy of the log and a brief explanation corect?

  7. #7
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,323
    Ya. Generally that's what I do. They may or may not respond but at least you warned them.
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •