Security Basics mailing list archives

RE: 0.0.0.0 Probes

From: "Shawn Jackson" <sjackson () horizonusa com>
Date: Fri, 22 Oct 2004 08:19:52 -0700

huge amount of HTTP Probe (over 50,000/day) with source IP 
address 0.0.0.0.


Welcome to the club, enjoy the stay.

This traffic is being dropped by my firewalls. Internal IDS does 
not show any of this event.


That's good. Seaming my aunt with a fan could block that kind of traffic
:-).

Initially, I thought it was just normal scan, 
but since it is occurring everyday with that high frequency, 
I got more curious.


0.0.0.0 is a all bit's off address or a network address, depending on
the mask. It's not routable, over the internet, thus cannot be a scan
because the sender won't get any replies. Someone is just hammering your
for some reason, could even be a misconfigured piece of equipment. Have
you checked the hardware address? Compared it to other equipment on the
segment?

However, I'm trying to understand what / how does the 0.0.0.0 
Source mean.


A 0 number in the host octet of the IP address means a network address.
This isn't routable outside the receiving subnet. 0.0.0.0 is a all bit's
off (00000000 00000000 00000000 00000000) IP address and is invalid.
Thus the sender of the packet either put that there on purpose to hide
themselves or something is misconfigured. I think I have seen older RIP
implementations use that as the source, but my memory is foggy, being
early on a Friday and all :-(.

Is it something that we have mis-configuration?


Possibly.


Is it broadcast traffic? 

No, broadcasts are all bits on in the host portion, or for a Ethernet
broadcast 255.255.255.255.

Can I user my router to block this?


Yes, ACL it. If you have a Cisco router, *like you should :-)* just do
this:

access-list 101 deny   IP 0.0.0.0 255.255.255.255 any log

Then assign the list to the appropriate interface and direction.

.. all normal questions to defend my assets..


Normal, what you think this is normal *ahhhhhhhh*.

*OUT*

Shawn Jackson
Systems Administrator
Horizon USA
1190 Trademark Dr #107
Reno NV 89521

www.horizonusa.com
Email: sjackson () horizonusa com
Phone: (775) 858-2338
       (800) 325-1199 x338
Fax:   (775) 858-2330

Current thread:

RE: 0.0.0.0 Probes, (continued)
- - RE: 0.0.0.0 Probes David Gillett (Oct 22)
    - Re: 0.0.0.0 Probes Miles Stevenson (Oct 22)
    - RE: 0.0.0.0 Probes Keith Bucknall (Oct 25)
    - RE: 0.0.0.0 Probes xyberpix (Oct 26)
    - RE: 0.0.0.0 Probes Fook Ming EE (Oct 26)
- RE: 0.0.0.0 Probes David Gillett (Oct 22)
- RE: 0.0.0.0 Probes Fook Ming EE (Oct 22)
- Re: 0.0.0.0 Probes Mike (Oct 25)
- Re: 0.0.0.0 Probes xyberpix (Oct 25)
- RE: 0.0.0.0 Probes Jorge Reyes (Oct 22)
- RE: 0.0.0.0 Probes Shawn Jackson (Oct 22)
- 0.0.0.0 Probes John Smithson (Oct 25)
- Re: 0.0.0.0 Probes Ghaith Nasrawi (Oct 30)