Re: Well-Known port Scan attack from 127.0.0.1

  • From: "Jim Harrison" <jim@xxxxxxxxxxxx>
  • To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
  • Date: Mon, 29 Dec 2003 07:45:45 -0800

Don't worry; your umbrage is justly felt.
Any "properly configured" router would throw it away, but unfortunately,
such is not always the case.
The whole point of that traffic (locally-generated or not) is to create
self-resolving packets that cause a DoS at the server.

 Jim Harrison
 MCP(NT4, W2K), A+, Network+, PCG
 http://www.microsoft.com/isaserver
 http://isaserver.org/Jim_Harrison
 http://isatools.org

 Read the help, books and articles!
----- Original Message ----- 
From: "cdawkins" <cdawkins@xxxxxxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Sunday, December 28, 2003 23:42
Subject: [isalist] Re: Well-Known port Scan attack from 127.0.0.1


http://www.ISAserver.org

Wait a minute.
Does the loopback address actually get transmitted across the Internet?
I would assume that any router would just throw it away.

Also if the packet was generated on the ISP router then the destination is
the same router so it wouldnt get routed out over any other Interface.

This sounds to me more like there is something running on you Firewall
server thats generating these packets.

Regards (waiting to be shot at...)


> Thanks for your Help
> Best Regards
> Ahmed
> ----- Original Message -----
> From: "Jim Harrison" <jim@xxxxxxxxxxxx>
> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
> Sent: Monday, December 22, 2003 4:42 PM
> Subject: [isalist] Re: Well-Known port Scan attack from 127.0.0.1
>
>
> > http://www.ISAserver.org
> >
> > It means your ISP is too lazy to block this at the router (or they have
a
> malicious host).
> > It means ISA dropped those packets and told you so.
> > You can't do anything short of smacking your ISP upside the head.
> >
> >   Jim Harrison
> >   MCP(NT4, W2K), A+, Network+, PCG
> >   http://isaserver.org/Jim_Harrison/
> >   http://isatools.org
> >   Read the help / books / articles!
> >
> >
> > On Mon, 22 Dec 2003 13:28:05 +0200
> >  "Ahmed ELsayed" <ahmedelsayed@xxxxxxxx> wrote:
> > http://www.ISAserver.org
> >
> > Hi All
> > On ISA Alerts I got: Well-Known port Scan attack from 127.0.0.1
> > what does it mean ? what action to do?
> >
> > Best regards
> > Ahmed
> >
> >
> > ------------------------------------------------------
> > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > ------------------------------------------------------
> > Other Internet Software Marketing Sites:
> > Leading Network Software Directory: http://www.serverfiles.com
> > No.1 Exchange Server Resource Site: http://www.msexchange.org
> > Windows Security Resource Site: http://www.windowsecurity.com/
> > Network Security Library: http://www.secinf.net/
> > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org Discussion List as:
> jim@xxxxxxxxxxxx
> > To unsubscribe send a blank email to
$subst('Email.Unsub')
> >
> > ------------------------------------------------------
> > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > ------------------------------------------------------
> > Other Internet Software Marketing Sites:
> > Leading Network Software Directory: http://www.serverfiles.com
> > No.1 Exchange Server Resource Site: http://www.msexchange.org
> > Windows Security Resource Site: http://www.windowsecurity.com/
> > Network Security Library: http://www.secinf.net/
> > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org Discussion List as:
> ahmedelsayed@xxxxxxxx
> > To unsubscribe send a blank email to
$subst('Email.Unsub')

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')

Other related posts:

  1. Home
  2. isalist
  3. Archive
  4. 12-2003