Message-ID: <20040525203525.GD598@freesbee.wheel.dk>
From: ssch at wheel.dk (Steffen Schumacher)
Subject: Odd packet?

On 25.05.2004 21:55:19 +0000, Maarten wrote:
> On Tuesday 25 May 2004 15:57, Gregh wrote:
> > Getting quite a few 127.0.0.1 on differing ports lately and I know it isn't
> > originating FROM this machine. Haven't sniffed any packets but they come up
> > in logs.
> 
> Not saying what you see must be wrong but, if your routing / packetfilter /
> kernelsettings were properly configured you would not ever get these packets 
> as they would be dropped before they would reach your machine.  If not your 
> ISP, then you (indeed everyone) should always drop packets coming from 
> interfaces they _cannot_ originate from.  Antispoofing, that's called. 
> Especially 127.x.x.x is not routed by any ISP which is worth their name.
> 

Logs may still detect packets constructed with a 127/8 address. 
However, as you said, no ISP, which has to follow rules and regulations in the
western world allows spoofing of or even routing of the 127/8 net.

So Maarten, if you want to write again, please have packetdumps proving you case.

/Steffen


> Maybe review your setting of /proc/sys/net/ipv4/conf/eth0/rp_filter ?
> 
> > Anyone know of anything that spoofs as coming from 127.0.0.1 but comes from
> > outside and what it may relate to? Only been the last week and nothing
> > changed here. Thanks for any help.
> 
> Notwithstanding what I said above, spoofing 127.0.0.1 would not really serve a 
> purpose for an attacker.  A full TCP handshake would never occur, and a DoS 
> is likewise impossible (or at least real unlikely).  But who knows...
> 
> Any packet dumps available ?
> 
> Maarten
> 
> -- 
> Yes of course I'm sure it's the red cable. I guarante[^%!/+)F#0c|'NO CARRIER
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html

Powered by blists - more mailing lists