Security Basics mailing list archives
RE: 0.0.0.0 Probes
From: "David Gillett" <gillettdavid () fhda edu>
Date: Fri, 22 Oct 2004 08:31:24 -0700
It means that whatever machine generated the traffic, it was trying to hide its identity. Note that you cannot possibly send return packets to this address. So I wouldn't call this a "probe", unless it was written by someone who is still just learning how TCP/IP works. Earlier this week, I tracked down a worm on our network that was generating packets with a source address of 0.0.0.0, and sending them all to a specific address. This is not a "probe", it's a "SYN flood" attack. The attacker doesn't care that the destination can't reply, because he has no intention of ever completing the TCP three-way handshake. If you're seeing traffic sourced from 0.0.0.0, the only "misconfiguration" is that nobody between you and the source is doing anti-spoofing or egress filtering. Dropping it at your firewalls is the only sane thing to do. David Gillett
-----Original Message----- From: John Smithson [mailto:why1234 () hotmail com] Sent: Thursday, October 21, 2004 1:47 PM To: security-basics () securityfocus com Subject: 0.0.0.0 Probes Gurus, Over the last few days my external NIDS (outside firewall) has picked up huge amount of HTTP Probe (over 50,000/day) with source IP address 0.0.0.0. The destinations are every IP address on my public-DMZ. These are just HTTP Probes. This traffic is being dropped by my firewalls. Internal IDS does not show any of this event. Initially, I thought it was just normal scan, but since it is occurring everyday with that high frequency, I got more curious. However, I'm trying to understand what / how does the 0.0.0.0 Source mean. Could some of you kindly shed light on this fellow? I have googled it and done normal research.. but still not 100% clear. Is it something that we have mis-configuration? Is it broadcast traffic? Can I user my router to block this? .. all normal questions to defend my assets.. Thank you, John _________________________________________________________________ Check out Election 2004 for up-to-date election news, plus voter tools and more! http://special.msn.com/msn/election2004.armx
Current thread:
- 0.0.0.0 Probes John Smithson (Oct 21)
- Re: 0.0.0.0 Probes Miles Stevenson (Oct 22)
- RE: 0.0.0.0 Probes David Gillett (Oct 22)
- Re: 0.0.0.0 Probes Miles Stevenson (Oct 22)
- RE: 0.0.0.0 Probes Keith Bucknall (Oct 25)
- RE: 0.0.0.0 Probes xyberpix (Oct 26)
- RE: 0.0.0.0 Probes Fook Ming EE (Oct 26)
- RE: 0.0.0.0 Probes David Gillett (Oct 22)
- Re: 0.0.0.0 Probes Miles Stevenson (Oct 22)
- <Possible follow-ups>
- RE: 0.0.0.0 Probes Jorge Reyes (Oct 22)
- RE: 0.0.0.0 Probes Shawn Jackson (Oct 22)
- 0.0.0.0 Probes John Smithson (Oct 25)
- Re: 0.0.0.0 Probes Ghaith Nasrawi (Oct 30)