Security Basics mailing list archives
RE: 0.0.0.0 Probes
From: "Jorge Reyes" <Jorge.Reyes () Talaris com>
Date: Thu, 21 Oct 2004 19:14:38 -0700
On your router you can drop all packets without ip address. ON a cisco router that will be like so ############################################################### ! Beginning of access-list 101 ! ! Deny rfc 1918 addresses: ! access-list 101 deny ip 192.168.0.0 0.0.255.255 any log access-list 101 deny ip 172.16.0.0 0.15.255.255 any log access-list 101 deny ip 10.0.0.0 0.255.255.255 any log ! ! Deny packets with localhost, broadcast and multicast addresses: ! access-list 101 deny ip 127.0.0.0 0.255.255.255 any log access-list 101 deny ip 255.0.0.0 0.255.255.255 any log access-list 101 deny ip 224.0.0.0 7.255.255.255 any log ! ! Deny packets without ip address. ! access-list 101 deny ip host 0.0.0.0 any log ! ! ! Apply access list to external interface: ! ip access-group 101 in ! ! Use this command if you want to see denied hosts while ! logged into the router. Use command: ! "show ip accounting access-violations" ! ! ip accounting access-violations ############################################################### On an Linux ipfawn # Deny rfc 1918 addresses: # ipfwadm -I -a deny -Weth0 -S 10.0.0.0/8 -D $EXTIP -o ipfwadm -I -a deny -Weth0 -S 172.16.0.0/12 -D $EXTIP -o ipfwadm -I -a deny -Weth0 -S 192.168.0.0/16 -D $EXTIP -o # # Deny packets without ip address. # ipfwadm -I -a deny -Weth0 -S 0.0.0.0/32 -D $EXTIP -o Jorge -----Original Message----- From: John Smithson [mailto:why1234 () hotmail com] Sent: Thursday, October 21, 2004 1:47 PM To: security-basics () securityfocus com Subject: 0.0.0.0 Probes Gurus, Over the last few days my external NIDS (outside firewall) has picked up huge amount of HTTP Probe (over 50,000/day) with source IP address 0.0.0.0. The destinations are every IP address on my public-DMZ. These are just HTTP Probes. This traffic is being dropped by my firewalls. Internal IDS does not show any of this event. Initially, I thought it was just normal scan, but since it is occurring everyday with that high frequency, I got more curious. However, I'm trying to understand what / how does the 0.0.0.0 Source mean. Could some of you kindly shed light on this fellow? I have googled it and done normal research.. but still not 100% clear. Is it something that we have mis-configuration? Is it broadcast traffic? Can I user my router to block this? .. all normal questions to defend my assets.. Thank you, John _________________________________________________________________ Check out Election 2004 for up-to-date election news, plus voter tools and more! http://special.msn.com/msn/election2004.armx
Current thread:
- Re: 0.0.0.0 Probes, (continued)
- Re: 0.0.0.0 Probes Miles Stevenson (Oct 22)
- RE: 0.0.0.0 Probes David Gillett (Oct 22)
- Re: 0.0.0.0 Probes Miles Stevenson (Oct 22)
- RE: 0.0.0.0 Probes Keith Bucknall (Oct 25)
- RE: 0.0.0.0 Probes xyberpix (Oct 26)
- RE: 0.0.0.0 Probes Fook Ming EE (Oct 26)
- RE: 0.0.0.0 Probes David Gillett (Oct 22)
- Re: 0.0.0.0 Probes Miles Stevenson (Oct 22)