Lode sent in some unusual traffic he is seeing from one of his servers.  The traffic is Protocol 0 (IPv6 Hop by Hop), originates from a Loopback address and is destined to 108.22.0.0, which used to be IANA reserved but recently was allocated to ARIN, but is currently not in use.

13:02:52.012656 IP (tos 0x7,CE, ttl 255, id 29423, offset 0, flags [none], proto: Options (0), length: 20) 127.0.0.181 > 108.122.0.0: ip 0
13:02:52.012699 IP (tos 0x7,CE, ttl 255, id 29423, offset 0, flags [none], proto: Options (0), length: 20) 127.0.0.25 > 108.122.0.0: ip 0
13:02:52.012743 IP (tos 0x7,CE, ttl 255, id 29423, offset 0, flags [none], proto: Options (0), length: 20) 127.0.0.96 > 108.122.0.0: ip 0
13:02:52.012788 IP (tos 0x7,CE, ttl 255, id 29423, offset 0, flags [none], proto: Options (0), length: 20) 127.0.0.187 > 108.122.0.0: ip 0
 

Some searching shows references to this traffic from Solaris (this server is Debian Linux) systems dating back to at least 2002, but I couldn't find any concrete solutions. One reference suggests this traffic might be related to a misconfigured rootkit.

Anybody who knows anything about this traffic and can provide insight please contact me via our contact page.

-- Rick Wanner - rwanner at isc dot sans dot org