So, it may or may not be Blaster/Welchia related activity, but rather any old virus/worm trying to DDoS a selected target (that DNS maintainers have seen fit to resolve to 127.0.0.1). Hey, maybe it's trying to DDoS SCO! Ooh, ethical quandry... ;-) j/k
Curtis On Fri March 19 2004 09:37, Michael Petch wrote: > Interesting. Some ISP's running DNS services might mark some domain > names with an IP address of 127.0.0.1 to mitigate a Denial of service > attack against the domains in question (Of course 127.0.0.1 addresses > will be resolved back to the local computer). > > I find it a bit odd that the destinations are internal network addresses > (I assume internal machine IP address is a non-routable IP address on > the internet?) > > I know when the blaster worm was circulating Sprint set some of their > DNS servers to point windowsupdate.com at 127.0.0.1 . > > Just some ideas. > > On Thu, 2004-03-18 at 21:57, Shane&Lisa wrote: > > Hi all, is any body else getting firewall logs yelling: > > > > 127.0.0.1 on port 80 (external) to <internal machine address> port < > > unprivileged port # > (internal) > > > > over and over again? > > > > I'm just getting pounded with these... > > > > Ideas? > > > > Shane > > > > > > _______________________________________________ > > clug-talk mailing list > > [EMAIL PROTECTED] > > http://clug.ca/mailman/listinfo/clug-talk_clug.ca _______________________________________________ clug-talk mailing list [EMAIL PROTECTED] http://clug.ca/mailman/listinfo/clug-talk_clug.ca
