Re: Solaris 7 installation is sending 127.0.0.0/8 addresses on the ethernet network...

On Thu, 28 Nov 2002, Michael Boman wrote:

> I grabbed the pcap output from our IDS that is sitting on a SPAN

> # ifconfig -a

The 127.0.0.75 address is the source address, so all the routing table comments are headed down the wrong path. So we have to ask ourselves how one can get a source address of 127.0.0.75...

What is strange is that I don't see that 127.0.0.75 address anywhere in the Sun information you gave above. Anyway...

Option 1 - via bind()

This is the simplest option from an application point of view, but it should not be possible to bind to an address that does not exist on the system. It's been a while since I played with things like this on Solaris, so maybe it makes an exception for addresses on the loopback interface.. In any case, a "netstat -an | grep 127.0.0.5" should show that address in use if a process is bound to it.

Option 2 - via raw net access.

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

The other option I can think of is some application that crafts the entire IP portion of the packet and uses raw network access to deposit it onto the wire. Why a normal application would do this, I have no earthly idea.

Any other ideas?
-John

-- 
John P. Eisenmenger
jpe@eisenmenger.org