Hello to ALL: I am a frequent reader of this list and contribute when I occasionally think I may have something of value to add.
I recently came across entries like the following in some firewall logs that a friend of mine asked me to take a look at: Source Address Destination Address Action 127.0.0.1 108.122.0.0 Drop 127.0.0.2 108.122.0.0 Drop 127.0.0.3 108.122.0.0 Drop . . . 127.0.0.255 108.122.0.0 Drop I believe that this pattern indicates strong evidence of an address spoofing attack of some kind using a compromised machine. ------------------------------------------------------ Further information: This investigation came about because the firewall my friend uses is licensed by the number of IPs protected by the firewall (does not count IPs coming from the external interface). The 127.0.0.x addresses were being counted against the license and he was getting warnings about exceeding the licensed IP limit! The I did some sniffing via tcpdump and traced the source of this traffic to an Unix machine on my friend's INTERNAL network. When I dug deeper, I learned that this machine had formerly been located OUTSIDE his firewall and had been moved to the internal network recently. He soon began experiencing intermittent network performance problems. I then logged into this machine at the console and attempted to run netstat to see which ports were open/active. Netstat would NOT run. It complained about libraries, too many open files, etc. I then ran a sniffer on the problematic machine. It was pumping out those 127.0.0.x broadcasts? as fast as it could! I am quite certain that the machine was compromised when it was located outside the firewall. I have advised my friend to rebuild the box from scratch before putting it back into service. But still, I am still curious. I did some searching on the internet and found a posting on the SUN Managers News site and found a similar question to mine with the same source and destination address ranges. Their were no responses. So now I know that I am not the 1st one to have seen this and my curiousity is even further peaked. ------------------------------------------------------ I know that 127.0.0.1 is the loopback address on TCP/IP hosts and that the 127.0.0.0/8 network is a reserved (or mostly wasted?) class A network. However, I had never came across the 108.122.0.0 network before so I did some research. I did a search on 102.122.0.0 and found the following link http://ftp.apnic.net/apnic/mailing-lists/bgp-stats/bgp-stats.archive.0009 from which I found the following information on the destination address: " Advertised IANA Reserved Addresses ---------------------------------- Network Origin AS Description 108.122.0.0/24 9847 Issan " I do have several question for the readers of this list: 1. Has anyone else seen this pattern before? 2. If so, does anyone have any more in depth knowledge of the details of this type of attack? In other words, what would a mischief maker be attempting to accomplish? My initial thought is a DOS attack perhaps leading to something larger. What type of tool(s) would they be using to do this, etc? 3. Does anyone have any knowledge or information on exactly what the 108.122.0.0/24 network or Issan is? 4. Does this look like something that should be reported to the proper authorities? 5. Am I just overly paranoid? I have been accused of possessing that "quality". Any information would be greatly appreciated. Thanks in advance. Pete Francois
