Threat Level: green Handler on Duty: Basil Alawi S.Taher

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Unusual traffic from Loopback to Unused ARIN address

Published: 2009-10-17
Last Updated: 2009-10-18 15:05:17 UTC
by Rick Wanner (Version: 1)
0 comment(s)

Lode sent in some unusual traffic he is seeing from one of his servers.  The traffic is Protocol 0 (IPv6 Hop by Hop), originates from a Loopback address and is destined to 108.22.0.0, which used to be IANA reserved but recently was allocated to ARIN, but is currently not in use.

13:02:52.012656 IP (tos 0x7,CE, ttl 255, id 29423, offset 0, flags [none], proto: Options (0), length: 20) 127.0.0.181 > 108.122.0.0: ip 0
13:02:52.012699 IP (tos 0x7,CE, ttl 255, id 29423, offset 0, flags [none], proto: Options (0), length: 20) 127.0.0.25 > 108.122.0.0: ip 0
13:02:52.012743 IP (tos 0x7,CE, ttl 255, id 29423, offset 0, flags [none], proto: Options (0), length: 20) 127.0.0.96 > 108.122.0.0: ip 0
13:02:52.012788 IP (tos 0x7,CE, ttl 255, id 29423, offset 0, flags [none], proto: Options (0), length: 20) 127.0.0.187 > 108.122.0.0: ip 0
 

Some searching shows references to this traffic from Solaris (this server is Debian Linux) systems dating back to at least 2002, but I couldn't find any concrete solutions. One reference suggests this traffic might be related to a misconfigured rootkit.

Anybody who knows anything about this traffic and can provide insight please contact me via our contact page.

 

-- Rick Wanner - rwanner at isc dot sans dot org

Keywords: bogon loopback
0 comment(s)
Diary Archives