On Tue, Jun 11, 2002 at 07:43:53AM +0800, Clinton Smith wrote: > I have begun to see sparse connections of the following nature: > 127.0.0.2:HIGHPORT --> 192.168.0.1:80 (SYN) > 3 or 4 at a time coming from an internet gateway. Guess this justifies these two IPF rules, which I'd been figuring were just my rampant paranoia: block in log quick on mc0 from 127.0.0.0/8 to any block in log quick on mc0 from any to 127.0.0.0/8 > I have read the following: > http://online.securityfocus.com/archive/1/166648 Then you know what the problem is. > Q Has anyone seen this type of packet or am I just seeing > badly configured network devices? Would have to know more, but this feels a whole lot like someone trying to exploit the condition you reference. What OS are you using? What version? Have you tried using tcpdump and friends to trace the real source of these packets? -- gabriel rosenkoetter grat_private
This archive was generated by hypermail 2b30 : Thu Jun 13 2002 - 13:57:58 PDT