Re: (ASCEND) Known attacks via 127.0.0.2 (rj0) ?

To: "Andre Beck" <beck@ibh-dd.de>, "Ascend Users" <ascend-users@bungi.com>
Subject: Re: (ASCEND) Known attacks via 127.0.0.2 (rj0) ?
From: "Leon McCalla" <ascend@caribbeanlink.com>
Date: Sun, 28 Dec 1997 10:27:57 -0500
Sender: owner-ascend-users@max.bungi.com

this was definately spoofed. the hacker was either on your lan or dialed-up
into one of your maxes. look at it from the destination's point of view. if
your are being flooded from 127.0.0.x, where is it coming from?

127.0.0.x is a loopback address and can only be used locally on any machine.
if i ping 127.0.0.x i an pinging the machine that i am logged on to.

Leon

-----Original Message-----
>the subject says most of it: We had an attack with a large amount of
>ICMP packets. The new thing about the attack was the address they
>seem to appear from: 127.0.0.2. Note that this is no source address
>spoofing, they were not packets from 127.0.0.2 to some IP in our
>net but packets _from_ 127.0.0.2 _to_ some other address far away
>and not in our net. Looking for the way they have been generated


++ Ascend Users Mailing List ++
To unsubscribe:	send unsubscribe to ascend-users-request@bungi.com
To get FAQ'd:	<http://www.nealis.net/ascend/faq>

Prev by Date: (ASCEND) MRTG and max4000
Next by Date: (ASCEND) 127.0.0.[2-xxx]
Prev by thread: (ASCEND) Known attacks via 127.0.0.2 (rj0) ?
Next by thread: (ASCEND) 127.0.0.[2-xxx]
Index(es):
- Main
- Thread