Threat Level: green Handler on Duty: Daniel Wesemann

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Unusual traffic from Loopback to Unused ARIN address

Published: 2009-10-17
Last Updated: 2009-10-18 15:05:17 UTC
by Rick Wanner (Version: 1)
0 comment(s)

Lode sent in some unusual traffic he is seeing from one of his servers.  The traffic is Protocol 0 (IPv6 Hop by Hop), originates from a Loopback address and is destined to 108.22.0.0, which used to be IANA reserved but recently was allocated to ARIN, but is currently not in use.

13:02:52.012656 IP (tos 0x7,CE, ttl 255, id 29423, offset 0, flags [none], proto: Options (0), length: 20) 127.0.0.181 > 108.122.0.0: ip 0
13:02:52.012699 IP (tos 0x7,CE, ttl 255, id 29423, offset 0, flags [none], proto: Options (0), length: 20) 127.0.0.25 > 108.122.0.0: ip 0
13:02:52.012743 IP (tos 0x7,CE, ttl 255, id 29423, offset 0, flags [none], proto: Options (0), length: 20) 127.0.0.96 > 108.122.0.0: ip 0
13:02:52.012788 IP (tos 0x7,CE, ttl 255, id 29423, offset 0, flags [none], proto: Options (0), length: 20) 127.0.0.187 > 108.122.0.0: ip 0
 

Some searching shows references to this traffic from Solaris (this server is Debian Linux) systems dating back to at least 2002, but I couldn't find any concrete solutions. One reference suggests this traffic might be related to a misconfigured rootkit.

Anybody who knows anything about this traffic and can provide insight please contact me via our contact page.

 

-- Rick Wanner - rwanner at isc dot sans dot org

Keywords: bogon loopback
0 comment(s)
Diary Archives