Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
388
Views
0
Helpful
1
Replies

Intrusion Detected from 127.0.0.1?

markp
Level 1
Level 1

‎08-19-2004 08:14 PM - edited ‎03-10-2019 01:30 PM

I often receive alerts from my IDS and the source of it is from 127.0.0.1 which is a loopback ip address. Is this normal? I have blocked it from our router since I do not know the effect if this will continue.

Labels:
0 Helpful
1 Reply 1

Kevin Dorrell
Level 10
Level 10

‎08-20-2004 07:39 AM

I have seen that too.

In our case, it was a misguided attempt to evade the Blaster worm. In the early days of that worm, some NetAdmins changed the name resolution for windowsupdate.com to 127.0.0.1 to stop any infected machines from attacking windowsupdate.com. Instead, the infected machine attacks itself. In doing so, the infected machine receives the connection, and then replies to its own spoofed source address - which in this case happens to be one of yours. These are the packets we saw: an infected machine's responses to its own self-inflicted attack using your source address as a spoof!

As the original attacking packet is generated inside the infected machine itself, the only way you are going to track this down to a machine is by snooping the segment the packets are coming from, find the MAC address, and trace it to a port. But since this is probably happening off your site, there is very little you can do about it.

Kevin Dorrell,

Luxembourg

0 Helpful
Customers Also Viewed These Support Documents