I forgot about this thread.... Hogfly had something like this happen to him recently but it used something other then 127.0.0.1, but all the packets were RST packets. If I see him I will ask him to post what he found out.
Printable View
I forgot about this thread.... Hogfly had something like this happen to him recently but it used something other then 127.0.0.1, but all the packets were RST packets. If I see him I will ask him to post what he found out.
without looking in to this post(I don't have time just right now) What I was seeing a while back was DoS backscatter from an irc network being DoS'ed offline. 127.0.0.1:80 seems more like a spoof attempt but I will take a better look later.
-hog
p.s. sirdice: run tcpdump -netttvXi next time. It'd help to have more info.
i came across the same thing using"iptraf' on my linux box seems to be something to do with loopback?or as they say a spoofed ip. must be one h*** of a program
Has anybody who's been reading this thread been looking at this one at Full Disclosure? I dunno why but I wonder if it's related or the same?!
Unfortunately I had to put this on hold because of the flu :( After that I had to do some code audits. If I have some time left I'll try and pick this up again. AFAIK this is still going on. I will try to capture some of the packets with the switches hogfly mentioned.
ok, this looks almost exactly like what I had seen. TCP ACK:RST's, matching/repeating sequence numbers etc etc. The fact that everything is coming from 127.0.0.1:80 is an indication. In my experience, everything was coming from one IP address(the victim of the DoS) and hitting numerous nodes across our campus. The 127.0.0.1 could be nothing more than the IP configuration of the machine in a dns zone on someones network. This screams of backscatter to me at this point ,and I would attribute it to that. Read the paper on the following link. It seems to fit the mold here.
http://www.caida.org/outreach/papers...security01.pdf
-hog
Msmittens: the blind tcp hijack/insertion technique I don't think applies here. The attack is more advanced than 90% of the people reading that list, and it wouldn't be as uniform and clean IMO in a packet dump. I think you would be able to see the the attempt in action. I could be wrong though.
Has anyone got any further explainations of this yet. There are many different posts all over the Internet, which I have been watching for over 2 years since I first started seeing the problem, I've read posts and arguments from some very smart people. I have not yet seen a definitive answer to the problem. In my case the attack is either from beyond the Default Gateway Router or from the ISP router itself (less likely).
The Linux server receiving the attacks correctly identifies them as a Martian Source (for those who don't know, it's an IP address seen where it shouldn't physically exist) I've included the syslog entry below, the dest IP has been changed to protect the innocent...
Sep 27 21:57:03 joepass kernel: martian source 217.X.X.X from 127.0.0.1, on dev eth0
Sep 27 21:57:03 joepass kernel: ll header: 00:04:75:7e:0b:e4:00:d0:ff:8d:f4:00:08:00
This shows the destination Mac (eth0) and the source Mac (default gateway) so not much info to be had there. The next thing I have to contribute is a packet dump from tcpdump. The actual command used was: tcpdump -ne -ttt -v -X -i eth0 src 127.0.0.1
000000 00:d0:ff:8d:f4:00 > 00:04:75:7e:0b:e4, ethertype IPv4 (0x0800), length 60: IP (tos 0x0, ttl 123, id 63314, offset 0, flags [none], length: 40) 127.0.0.1.80 > 217.x.x.x.1669: R [tcp sum ok] 0:0(0) ack 502530049 win 0
0x0000: 4500 0028 f752 0000 7b06 7517 7f00 0001 E..(.R..{.u.....
0x0010: d99e 7ac6 0050 0685 0000 0000 1df4 0001 ..z..P..........
0x0020: 5014 0000 b7a0 0000 0000 0000 0000 P.............
736091 00:d0:ff:8d:f4:00 > 00:04:75:7e:0b:e4, ethertype IPv4 (0x0800), length 60: IP (tos 0x0, ttl 123, id 63403, offset 0, flags [none], length: 40) 127.0.0.1.80 > 217.x.x.x.1038: R [tcp sum ok] 0:0(0) ack 1119682561 win 0
0x0000: 4500 0028 f7ab 0000 7b06 74d1 7f00 0001 E..(....{.t.....
0x0010: d99e 7ab3 0050 040e 0000 0000 42bd 0001 ..z..P......B...
0x0020: 5014 0000 9561 0000 0000 0000 0000 P....a........ssd
If anyone can shed any light on this, it's be great! No prizes for figuring the IP from the hex'
T.
im not really good at packets and IP but isnt 127.0.0.1 the computer's IP?
IE this comps ip is 24.XX.XXX.XXX and that is how it is seen online but to the computer itself it is seen as 127.0.0.1?
gonna blindly hit this but wouldnt that sugest that the computer is scanning its self?
I am unable to help on this problem, but feel bound to post this:
This is a good question, but you have used a VERY old thread to attach it to, it MIGHT have been better if you had linked to this thread from a new thread.
That said, this is still a valid post, so don't shoot him down too soon ............ :p
And Yes; the green is from me, as a sort of protection from random reds :D
[edit] hex: if you read the whole thread, you will see that it has been vexing folks for a LONG LONG time, or at the very least, they didn't come back with a definitive answer. [/edit]
[edit 2] Bliss is mine ........... MsM has said the same as ME...... only she got there first: Damn typewriting skills. [/edit 2]
Well, given this was never solved AFAIK, it's not a bad thing to bring this particular thread up. Perhaps Sir Dice can let us know if he did ever find a solution or identify what the source of all this was.
hexadecimal, did you read the whole thread?