Increase in tcp traffic from spoofed source to bogon?
Crist Clark
crist.clark at globalstar.com
Fri Sep 26 16:56:34 UTC 2003
Pekka Savola wrote:
>
> On Thu, 25 Sep 2003, Mike Tancsa wrote:
> > Is it all to 135 ? I drop lots of that at my border. Each time I traced
> > it back to the customer, it was some infected machine that was not being
> > natted for various reasons.
> >
> > e.g.
> >
> > Deny TCP 172.16.4.1:4616 192.100.103.4:135
> >
> > We also see the odd ntp request. Is it bogon as in RFC 1918 or bogon as in
> > not yet allocated / routed ?
>
> We are seeing some amount of traffic to the SMTP port of 127.0.0.2 (!!!).
> I haven't bothered to check this out at the moment. One would suppose the
> routers would blackhole the loopback traffic (or have a route to
> 127.0.0.1), but no... :-)
I've been seeing this too. There are some jokers (SPAMmers?) out there
putting 127.0.0.2 in their MX records.
Our Solaris mail server actually puts 127.0.0.2 out on the wire (the
default route) despite,
lo0: flags=1000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4> mtu 8232 index 1
inet 127.0.0.1 netmask ff000000
the fact it looks like these should be routed to the loopback. This also
flies in the face of RFC1122, Sec. 3.2.1.3(g),
(g) { 127, <any> }
Internal host loopback address. Addresses of this form
MUST NOT appear outside a host.
This is however historical UN*X behavior. We hardcoded FreeBSD to drop
127/8 heading out of the host only a year ago and got a few complaints
from people who were doing things they probably should not have been doing
or could have just as easily done with RFC1918 addresses.
I would expect 127/8 to be on any bogon list.
--
Crist J. Clark crist.clark at globalstar.com
Globalstar Communications (408) 933-4387
More information about the NANOG
mailing list