how to get rid of loopback packets?

Discussion in 'Cisco' started by kain, Nov 21, 2003.

  1. kain

    kain Guest

    hi there,
    I've searched a lot but didn't find anything regarding this issue:
    in my logs a see a huge lines that indicates:

    root@www /# cat /var/log/cisco.log | grep denied | cut -d ' ' -f 1-5,12-19 |
    grep 127.0.0.1 | more
    Nov 20 23:40:22 10.10.10.1 73069: 127.0.0.1(80) -> 80.xxx.xxx.xxx(1826), 1
    packet
    Nov 20 23:40:32 10.10.10.1 73071: 127.0.0.1(80) -> 80.xxx.xxx.xxx(1827), 1
    packet
    Nov 20 23:40:32 10.10.10.1 73072: 127.0.0.1(80) -> 80.xxx.xxx.xxx(1760), 1
    packet
    Nov 20 23:40:33 10.10.10.1 73074: 127.0.0.1(80) -> 80.xxx.xxx.xxx(1185), 1
    packet
    Nov 20 23:40:33 10.10.10.1 73075: 127.0.0.1(80) -> 80.xxx.xxx.xxx(1639), 1
    packet
    Nov 20 23:40:35 10.10.10.1 73077: 127.0.0.1(80) -> 80.xxx.xxx.xxx(1408), 1
    packet
    Nov 20 23:40:49 10.10.10.1 73078: 127.0.0.1(80) -> 80.xxx.xxx.xxx(1760), 1
    packet
    Nov 20 23:41:09 10.10.10.1 73081: 127.0.0.1(80) -> 80.xxx.xxx.xxx(1981), 1
    packet

    and so on.
    packet that start from the loopback interface on port 80 and go on the wan
    interface.
    I thinked about a spoofed automated attacks to an isa server because the
    dest_ports are in the range of 1000-2000 and reading through past posts
    seems my router is attacked in this manner.

    also:
    # interval proto source whois information destination port service
    opts
    445 00:03:38:38 pim 192.168.100.1 - 224.0.0.13 0 - -
    220 00:03:39:13 igmp 192.168.100.1 - 224.0.0.1 0


    in fwlogwatch, I suspect that 192.168.100.1 is the ISP's gateway but I
    really dunno about this

    here's my acl (the chains that seems to be problematic is the 111)

    access-list 111 permit icmp any any administratively-prohibited
    access-list 111 permit icmp any any echo
    access-list 111 permit icmp any any echo-reply
    access-list 111 permit icmp any any packet-too-big
    access-list 111 permit icmp any any time-exceeded
    access-list 111 permit icmp any any unreachable
    access-list 111 permit udp any eq bootps any eq bootpc
    access-list 111 permit udp any eq bootps any eq bootps
    access-list 111 permit udp any eq domain any
    access-list 111 permit esp any any
    access-list 111 permit udp any any eq isakmp
    access-list 111 permit udp any any eq 10000
    access-list 111 permit tcp any any eq 1723
    access-list 111 permit tcp any any eq 139
    access-list 111 permit udp any any eq netbios-ns
    access-list 111 permit udp any any eq netbios-dgm
    access-list 111 permit gre any any
    access-list 111 deny ip any any log

    someone can tell me what's wrong and how to correct my config?
    I've orderer about a month ago "hardening cisco routers" but it isn't still
    arrived :eek:)
    thanks,
    kain
     
    kain, Nov 21, 2003
    #1
    1. Advertising

  2. In article <xNevb.66198$>,
    kain <> wrote:
    :I've searched a lot but didn't find anything regarding this issue:
    :in my logs a see a huge lines that indicates:

    :Nov 20 23:40:22 10.10.10.1 73069: 127.0.0.1(80) -> 80.xxx.xxx.xxx(1826), 1
    :packet

    :packet that start from the loopback interface on port 80 and go on the wan
    :interface.
    :I thinked about a spoofed automated attacks to an isa server because the
    :dest_ports are in the range of 1000-2000 and reading through past posts
    :seems my router is attacked in this manner.

    I don't think that's what's going on. See below.

    :here's my acl (the chains that seems to be problematic is the 111)

    :access-list 111 permit icmp any any administratively-prohibited
    :access-list 111 permit icmp any any echo

    This is for outgoing traffic, right? If this were for incoming traffic
    then you should block echo to your broadcast addresses before permiting
    echo to anything else.

    :access-list 111 permit icmp any any echo-reply
    :access-list 111 permit icmp any any packet-too-big
    :access-list 111 permit icmp any any time-exceeded
    :access-list 111 permit icmp any any unreachable
    :access-list 111 permit udp any eq bootps any eq bootpc
    :access-list 111 permit udp any eq bootps any eq bootps
    :access-list 111 permit udp any eq domain any
    :access-list 111 permit esp any any
    :access-list 111 permit udp any any eq isakmp
    :access-list 111 permit udp any any eq 10000
    :access-list 111 permit tcp any any eq 1723
    :access-list 111 permit tcp any any eq 139
    :access-list 111 permit udp any any eq netbios-ns
    :access-list 111 permit udp any any eq netbios-dgm
    :access-list 111 permit gre any any
    :access-list 111 deny ip any any log

    I think I see the problem. You are not permitting TCP reply packets.
    Someone tried to contact tcp port 80 on one of your machines, and your
    machine replied and you aren't permitting the reply to go back.

    I do not know why 127.0.0.1 is replying: my guess is that you might
    be doing "router on a stick" or possibly something to do with NAT.

    Anyhow, to fix the problem, above the tcp 1723 line, insert

    access-list 111 permit tcp any any established
    --
    Disobey all self-referential sentences!
     
    Walter Roberson, Nov 21, 2003
    #2
    1. Advertising

  3. kain

    kain Guest

    "Walter Roberson" <-cnrc.gc.ca> ha scritto nel messaggio
    news:bpjtu6$dp2$...
    > In article <xNevb.66198$>,
    > kain <> wrote:
    > :I've searched a lot but didn't find anything regarding this issue:
    > :in my logs a see a huge lines that indicates:
    >
    > :Nov 20 23:40:22 10.10.10.1 73069: 127.0.0.1(80) -> 80.xxx.xxx.xxx(1826),

    1
    > :packet


    [snip]

    > :access-list 111 permit icmp any any administratively-prohibited
    > :access-list 111 permit icmp any any echo
    >
    > This is for outgoing traffic, right? If this were for incoming traffic
    > then you should block echo to your broadcast addresses before permiting
    > echo to anything else.


    thanks for the reply Walter, that's right

    > :access-list 111 permit icmp any any echo-reply

    [snip]
    > :access-list 111 deny ip any any log
    >
    > I think I see the problem. You are not permitting TCP reply packets.
    > Someone tried to contact tcp port 80 on one of your machines, and your
    > machine replied and you aren't permitting the reply to go back.
    >
    > I do not know why 127.0.0.1 is replying: my guess is that you might
    > be doing "router on a stick" or possibly something to do with NAT.
    >
    > Anyhow, to fix the problem, above the tcp 1723 line, insert
    >
    > access-list 111 permit tcp any any established


    that's great, it solved my problem.
    certainly someone tried to contact my router at port 80, I'm running a
    webserver, but I'm having still some difficult on acls :)
    thanks for the tips, and I wanna ask you a more and last question, I see:

    Nov 21 04:12:18 10.10.10.1 76382: 2d18h: %SEC-6-IPACCESSLOGRP: list 111
    denied igmp 192.168.100.1 -> 224.0.0.1, 1 packet
    Nov 21 04:13:32 10.10.10.1 76383: 2d18h: %SEC-6-IPACCESSLOGRP: list 111
    denied igmp 192.168.100.1 -> 224.0.0.1, 1 packet
    Nov 21 04:13:32 10.10.10.1 76384: 2d18h: %SEC-6-IPACCESSLOGRP: list 111
    denied pim 192.168.100.1 -> 224.0.0.13, 2 packets
    Nov 21 04:13:37 10.10.10.1 76385: 2d18h: %SEC-6-IPACCESSLOGRP: list 111
    denied pim 192.168.100.1 -> 224.0.0.13, 1 packet

    what could it be?
    it's time to read furthermore :)
    sorry for by bad english and thanks in advance,
    kain
     
    kain, Nov 21, 2003
    #3
  4. In article <rrfvb.66205$>,
    kain <> wrote:
    :Nov 21 04:12:18 10.10.10.1 76382: 2d18h: %SEC-6-IPACCESSLOGRP: list 111
    :denied igmp 192.168.100.1 -> 224.0.0.1, 1 packet
    :Nov 21 04:13:32 10.10.10.1 76384: 2d18h: %SEC-6-IPACCESSLOGRP: list 111
    :denied pim 192.168.100.1 -> 224.0.0.13, 2 packets

    :what could it be?

    igmp and pim are used for multicast.

    Do you have Windows RAS (Remote Access Service) running?
    http://www.microsoft.com/technet/tr...r2003/proddocs/deployguide/dnsbb_tcp_dtot.asp

    It is also possible that something at 192.168.100.1 was scanning for
    a known vulnerability:
    http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/fq99-034.asp
    --
    IMT made the sky
    Fall.
     
    Walter Roberson, Nov 21, 2003
    #4
  5. kain

    kain Guest

    "Walter Roberson" <-cnrc.gc.ca> ha scritto nel messaggio
    news:bpk0ee$esl$...
    > In article <rrfvb.66205$>,


    > Do you have Windows RAS (Remote Access Service) running?
    >

    http://www.microsoft.com/technet/tr...r2003/proddocs/deployguide/dnsbb_tcp_dtot.asp
    >
    > It is also possible that something at 192.168.100.1 was scanning for
    > a known vulnerability:
    >

    http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/fq99-034.asp

    no, I have only a server (trustix) and two clients, one windows and one
    gnu/linux.
    btw thanks again :)

    kain
     
    kain, Nov 21, 2003
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. mimayin

    FIREFOX LOOPBACK CONNECTION ISSUE

    mimayin, Mar 6, 2004, in forum: Firefox
    Replies:
    4
    Views:
    1,071
    mimayin
    Mar 6, 2004
  2. Replies:
    13
    Views:
    1,492
  3. Thomas Fritz
    Replies:
    3
    Views:
    3,290
    James
    Jul 10, 2007
  4. Replies:
    6
    Views:
    2,283
  5. Tilman Schmidt

    PIX packets get NATed which shouldn't

    Tilman Schmidt, Aug 27, 2008, in forum: Cisco
    Replies:
    0
    Views:
    375
    Tilman Schmidt
    Aug 27, 2008
Loading...

Share This Page