Please offer some *plausible* alternate explanation. The
Blaster blowback precisely explains every detail of traffic
like this that I have seen directly or heard reported by
others. Do you possess some additional evidence that
contradicts it? Do you have a simpler explanation that
adequately explains the evidence?
David Nesting listed some plausible scenarios.
I don't know what it is. But it is simple to prove what it is *not* with the
evidence already provided.
Blaster blowback is directed at the machine that generated the traffic, and
occurs on the LAN of the infected host. If some miracle of misconfiguration
guided a 127.0.0.1-destined packet out the gateway onto the upstream
network, what upstream device would answer a SYN to 127.0.0.1 that did not
originate from its own interface?
The simplest explanation often tends to be correct, but not when the facts
clearly contradict it.
On my own traffic, I have additional evidence that it is not Blaster
blowback.
The source MAC address said the traffic was coming from my upstream's Cisco
router. One day after my upstream stopped the traffic at my request, it has
reappeared. More reason for suspicion, and Blaster still doesn't explain it.
I took great pains to make absolutely sure there was no local stimulus at
all - I only answered ARPs and otherwise kept silent while sniffing. Sure
enough the 127.0.0.1 traffic was completely unsolicited. David's scenarios
could apply if someone else was spoofing my address or NATing traffic to me.
But again, that is speculation - there is not enough data to prove what it
is, and the proof is all upstream of my network so I will not have access to
it.
If you want plausible speculation, I'd say someone might have compromised
the upstream router, changed ACLs and set up NATing to hide the source of
hostile probes from some other compromised machines downstream of the
router. Odd repetitions in the target ports of the traffic could indicate
something more complex.
