odd packets with 127.0.0.1:80 as source adres

I need some input from the infinite knowledge of AO :D

On our firewall we are receiving some odd packets. They originate on the Internet and are directed to our webservers. All packets have 127.0.0.1 port 80 as a source and all of them are RST packets. The source mac adres is our ISP router and the destination mac is our firewall. So i'm sure these are 'generated' outside our infrastructure. I've also contacted our ISP to ask them if they can spot anything funny on that router.

What could be generating these packets? Is it a badly configured router somewhere? Is it some clueless wannabee scanner?

BTW none of those packets will get through. They're all blocked on the firewall but it's going on for some time now and it's driving me nuts :confused:

Here's a capture of some of those packets (captured using tcpdump -n -e host 127.0.0.1) :

Code:

---

14:51:31.314480 0:a:b7:51:79:c0 0:e0:b6:5:f3:f3 0800 60: 127.0.0.1.80 > x.x.x.17.1348: R 0:0(0) ack 1106706433 win 0
14:52:11.834661 0:a:b7:51:79:c0 0:e0:b6:5:f3:f3 0800 60: 127.0.0.1.80 > x.x.x.15.1529: R 0:0(0) ack 716898305 win 0
14:52:13.121266 0:a:b7:51:79:c0 0:e0:b6:5:f3:f3 0800 60: 127.0.0.1.80 > x.x.x.30.1551: R 0:0(0) ack 164888577 win 0
14:52:23.435843 0:a:b7:51:79:c0 0:e0:b6:5:f3:f3 0800 60: 127.0.0.1.80 > x.x.x.28.1165: R 0:0(0) ack 1912864769 win 0
14:52:32.677496 0:a:b7:51:79:c0 0:e0:b6:5:f3:f3 0800 60: 127.0.0.1.80 > x.x.x.13.1307: R 0:0(0) ack 110690305 win 0
14:52:33.836762 0:a:b7:51:79:c0 0:e0:b6:5:f3:f3 0800 60: 127.0.0.1.80 > x.x.x.13.1609: R 0:0(0) ack 920846337 win 0
14:53:22.145970 0:a:b7:51:79:c0 0:e0:b6:5:f3:f3 0800 60: 127.0.0.1.80 > x.x.x.14.1395: R 0:0(0) ack 112459777 win 0
14:53:27.828275 0:a:b7:51:79:c0 0:e0:b6:5:f3:f3 0800 60: 127.0.0.1.80 > x.x.x.35.1988: R 0:0(0) ack 1490550785 win 0
14:53:39.791186 0:a:b7:51:79:c0 0:e0:b6:5:f3:f3 0800 60: 127.0.0.1.80 > x.x.x.25.1783: R 0:0(0) ack 1848901633 win 0
14:54:02.720954 0:a:b7:51:79:c0 0:e0:b6:5:f3:f3 0800 60: 127.0.0.1.80 > x.x.x.11.1344: R 0:0(0) ack 616824833 win 0
14:54:09.907746 0:a:b7:51:79:c0 0:e0:b6:5:f3:f3 0800 60: 127.0.0.1.80 > x.x.x.37.1288: R 0:0(0) ack 1197867009 win 0
14:55:02.874700 0:a:b7:51:79:c0 0:e0:b6:5:f3:f3 0800 60: 127.0.0.1.80 > x.x.x.37.1587: R 0:0(0) ack 1462173697 win 0
14:55:13.576690 0:a:b7:51:79:c0 0:e0:b6:5:f3:f3 0800 60: 127.0.0.1.80 > x.x.x.12.1361: R 0:0(0) ack 1119289345 win 0
14:55:14.673549 0:a:b7:51:79:c0 0:e0:b6:5:f3:f3 0800 60: 127.0.0.1.80 > x.x.x.11.1895: R 0:0(0) ack 1 win 0
14:55:20.060383 0:a:b7:51:79:c0 0:e0:b6:5:f3:f3 0800 60: 127.0.0.1.80 > x.x.x.20.1435: R 0:0(0) ack 1955528705 win 0
14:55:26.276786 0:a:b7:51:79:c0 0:e0:b6:5:f3:f3 0800 60: 127.0.0.1.80 > x.x.x.24.1531: R 0:0(0) ack 83689473 win 0
14:55:35.559046 0:a:b7:51:79:c0 0:e0:b6:5:f3:f3 0800 60: 127.0.0.1.80 > x.x.x.10.1440: R 0:0(0) ack 428998657 win 0
14:55:44.766284 0:a:b7:51:79:c0 0:e0:b6:5:f3:f3 0800 60: 127.0.0.1.80 > x.x.x.23.1400: R 0:0(0) ack 1 win 0
14:55:54.062842 0:a:b7:51:79:c0 0:e0:b6:5:f0:1b 0800 60: 127.0.0.1.80 > x.x.x.9.1542: R 0:0(0) ack 1623654401 win 0
14:56:05.658767 0:a:b7:51:79:c0 0:e0:b6:5:f3:f3 0800 60: 127.0.0.1.80 > x.x.x.22.1946: R 0:0(0) ack 1925447681 win 0
14:56:15.016338 0:a:b7:51:79:c0 0:e0:b6:5:f3:f3 0800 60: 127.0.0.1.80 > x.x.x.22.1967: R 0:0(0) ack 34668545 win 0
14:56:18.776838 0:a:b7:51:79:c0 0:e0:b6:5:f3:f3 0800 60: 127.0.0.1.80 > x.x.x.12.1507: R 0:0(0) ack 946470913 win 0
14:56:49.728211 0:a:b7:51:79:c0 0:e0:b6:5:f3:f3 0800 60: 127.0.0.1.80 > x.x.x.13.1495: R 0:0(0) ack 1901002753 win 0

---

Blind spoof of some type?

http://cert.uni-stuttgart.de/archive.../msg00013.html
http://forums.zonelabs.com/zonelabs/...essage.id=2194

Apparently you're not alone however. I'd hazard to guess that someone has made a new IP spoofing tool/worm that uses 127.0.0.1 for source ip and HTTP for port.

Quote:

---

14:55:13.576690 0:a:b7:51:79:c0 0:e0:b6:5:f3:f3 0800 60: 127.0.0.1.80 > x.x.x.12.1361: R 0:0(0) ack 1119289345 win 0
14:55:14.673549 0:a:b7:51:79:c0 0:e0:b6:5:f3:f3 0800 60: 127.0.0.1.80 > x.x.x.11.1895: R 0:0(0) ack 1 win 0
14:55:20.060383 0:a:b7:51:79:c0 0:e0:b6:5:f3:f3 0800 60: 127.0.0.1.80 > x.x.x.20.1435: R 0:0(0) ack 1955528705 win 0
14:55:26.276786 0:a:b7:51:79:c0 0:e0:b6:5:f3:f3 0800 60: 127.0.0.1.80 > x.x.x.24.1531: R 0:0(0) ack 83689473 win 0
14:55:35.559046 0:a:b7:51:79:c0 0:e0:b6:5:f3:f3 0800 60: 127.0.0.1.80 > x.x.x.10.1440: R 0:0(0) ack 428998657 win 0
14:55:44.766284 0:a:b7:51:79:c0 0:e0:b6:5:f3:f3 0800 60: 127.0.0.1.80 > x.x.x.23.1400: R 0:0(0) ack 1 win 0

---

I went back to look at your capture (think you could get more and make it more verbose?). look at the packets I've bolded. Struck me as odd. (Old Sesame Street song comes to mind -- which one doesn't belong)

Sequence numbers are going way weird with the occassional "repeat" of sequence 1 and window size is 0 (?? what OS/Protocol uses a window size of 0)

Those looked odd to me too. They appear quite often but not really on a regular basis.
I'll see if I can capture some more. I'll also see if I can log the payload (if any).

Quote:

---

Originally posted here by MsMittens
Blind spoof of some type?

http://cert.uni-stuttgart.de/archive.../msg00013.html
http://forums.zonelabs.com/zonelabs/...essage.id=2194

Apparently you're not alone however. I'd hazard to guess that someone has made a new IP spoofing tool/worm that uses 127.0.0.1 for source ip and HTTP for port.

---

These look strangely familiar indeed. But for a blind spoof I would expect to see at least a couple of SYN packets and I only get RST packets.

A'ight. Did some more digging myself in the mean time and there's not a lot to be found about this. The only responses I saw where people brushing this off as a side effect of blaster attacking windowsupdate.com. The explaination is that some DNS servers (hosts file?) are (mis)configured to return 127.0.0.1 when queried for windowsupdate.com. That would stop the attack from ever reaching the intended site. Blaster then sends a SYN to 127.0.0.1:80 with a spoofed source and doesn't get very far. So far so good. I can understand that. Unfortunately the resulting RST packets are send to the spoofed address/ports, which happen to be ours. But why on earth are these RST packets with source address 127.0.0.1 routed to the rest of the world? Why does it even leave the infected machine? Seems odd. I cannot see any reason for responses to packets send to the loopback address to even be able to leave the local machine. Isn't localhost the only one able to send something to localhost? Or is this some tcp/ip stack implementation feature?

No feature I know of. I'm leaning towards new tool or something like that.. new scanner maybe? Checking to see what routers/switches let the packets through? New DoS (DDoS?)?

Right now, gut says this is not "expect" or part of an existing system but rather intended by a creator for a particular reason..

I may be way off base, but I've noticed that after running a program to capture what software is comunicating on what ports, I always get IE with an address of 127.0.0.1 port 80 sending packets back to my real address.

Looks like a spoof......but 127.0.0.1 shouldn't be routeable on the "internet"...somewhere from within the compnay bouncing around...........idk

MsMittens: A RST packet always has a windowsize of 0. The only time an RST packet would have a sequence number of 1 is when an existing connection is torn down.

danara: You can rest assured it's nothing I introduced myself. There isn't a windows machine anywhere near that connection. It's a segment with only networking equipment. There are no hosts on that segment.

shaded: I'm 100% sure it comes from our Internet connection and not the other way around. The source MAC address belongs to the ISP's router.