Unusual traffic from Loopback to Bogon Address, (Sat, Oct 17th)
Lode sent in some unusual traffic he is seeing from one of his servers. The traffic is Protocol 0 (IPv6 Hop by Hop), originates from a Loopback address and is destined to 108.22.0.0, which is a reserved address.
13:02:52.012656 IP (tos 0x7,CE, ttl 255, id 29423, offset 0, flags [none], proto: Options (0), length: 20) 127.0.0.181 108.122.0.0: ip 0
13:02:52.012699 IP (tos 0x7,CE, ttl 255, id 29423, offset 0, flags [none], proto: Options (0), length: 20) 127.0.0.25 108.122.0.0: ip 0
13:02:52.012743 IP (tos 0x7,CE, ttl 255, id 29423, offset 0, flags [none], proto: Options (0), length: 20) 127.0.0.96 108.122.0.0: ip 0
13:02:52.012788 IP (tos 0x7,CE, ttl 255, id 29423, offset 0, flags [none], proto: Options (0), length: 20) 127.0.0.187 108.122.0.0: ip 0
Some searching shows references to this traffic from Solaris systems dating back to at least 2002, but I couldn’t find any concrete solutions. One reference suggests this traffic might be related to a rootkit.
Anybody who knows anything about this traffic and can provide insight please contact me via our contact page.