| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <200405260829.30757.mklinke@futzin.com> From: mklinke at futzin.com (Mike Klinke) Subject: Odd packet? On Wednesday 26 May 2004 04:05, Valentino Squilloni - Ouz wrote: > On Wed, 26 May 2004, Steffen Schumacher wrote: > > [] > > > However, as you said, no ISP, which has to follow rules and > > regulations in the western world allows spoofing of or even > > routing of the 127/8 net. > > Yes, but 127/8 as the source or the destination ? > > Even the OP didn't mentioned this. I'm proned to believe those > packets have 127.0.0.1 as the source of the packets. You're correct. I thought I'd sent this to the list last night but didn't watch the to: field carefully enough on my reply. I don't know the mechanism but I think I know what you were seeing. Here is an ethereal packet capture from the time. We, too, were constantly seeing our ISP controlled perimeter router sending these packets to our internal equipment. The source MAC address here is the perimeter router (Cisco 1700) and the ISP was pretty much stumped over the cause. Regards, Mike Klinke ---------- Ethereal Frame 1 (60 on wire, 60 captured) Arrival Time: Aug 18, 2003 13:48:32.919516000 Time delta from previous packet: 0.000000000 seconds Time relative to first packet: 0.000000000 seconds Frame Number: 1 Packet Length: 60 bytes Capture Length: 60 bytes Ethernet II Destination: 00:01:02:ee:21:95 (00:01:02:ee:21:95) Source: 00:06:d7:ee:3a:89 (00:06:d7:ee:3a:89) Type: IP (0x0800) Trailer: 000000000000 Internet Protocol, Src Addr: 127.0.0.1 (127.0.0.1), Dst Addr: xxx.xxx.xxx.xxx (xxx.xxx.xxx.xxx) Version: 4 Header length: 20 bytes Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00) 0000 00.. = Differentiated Services Codepoint: Default (0x00) .... ..0. = ECN-Capable Transport (ECT): 0 .... ...0 = ECN-CE: 0 Total Length: 40 Identification: 0x252b Flags: 0x00 .0.. = Don't fragment: Not set ..0. = More fragments: Not set Fragment offset: 0 Time to live: 121 Protocol: TCP (0x06) Header checksum: 0x44e2 (correct) Source: 127.0.0.1 (127.0.0.1) Destination: xxx.xxx.xxx.xxx (xxx.xxx.xxx.xxx) Transmission Control Protocol, Src Port: 80 (80), Dst Port: 1319 (1319), Seq: 0, Ack: 986251265, Len: 0 Source port: 80 (80) Destination port: 1319 (1319) Sequence number: 0 Acknowledgement number: 986251265 Header length: 20 bytes Flags: 0x0014 (RST, ACK) 0... .... = Congestion Window Reduced (CWR): Not set .0.. .... = ECN-Echo: Not set ..0. .... = Urgent: Not set ...1 .... = Acknowledgment: Set .... 0... = Push: Not set .... .1.. = Reset: Set .... ..0. = Syn: Not set .... ...0 = Fin: Not set Window size: 0 Checksum: 0x97cc (correct)
Powered by blists - more mailing lists