Lode sent in some unusual traffic he is seeing from one of his servers. The traffic is Protocol 0 (IPv6 Hop by Hop), originates from a Loopback address and is destined to 220.127.116.11, which used to be IANA reserved but recently was allocated to ARIN, but is currently not in use.
13:02:52.012656 IP (tos 0x7,CE, ttl 255, id 29423, offset 0, flags [none], proto: Options (0), length: 20) 127.0.0.181 > 18.104.22.168: ip 0
Some searching shows references to this traffic from Solaris (this server is Debian Linux) systems dating back to at least 2002, but I couldn't find any concrete solutions. One reference suggests this traffic might be related to a misconfigured rootkit.
Anybody who knows anything about this traffic and can provide insight please contact me via our contact page.
-- Rick Wanner - rwanner at isc dot sans dot org
Oct 17th 2009
9 years ago