Security Basics mailing list archives
RE: 0.0.0.0 Probes
From: "Shawn Jackson" <sjackson () horizonusa com>
Date: Fri, 22 Oct 2004 08:19:52 -0700
huge amount of HTTP Probe (over 50,000/day) with source IP address 0.0.0.0.
Welcome to the club, enjoy the stay.
This traffic is being dropped by my firewalls. Internal IDS does not show any of this event.
That's good. Seaming my aunt with a fan could block that kind of traffic :-).
Initially, I thought it was just normal scan, but since it is occurring everyday with that high frequency, I got more curious.
0.0.0.0 is a all bit's off address or a network address, depending on the mask. It's not routable, over the internet, thus cannot be a scan because the sender won't get any replies. Someone is just hammering your for some reason, could even be a misconfigured piece of equipment. Have you checked the hardware address? Compared it to other equipment on the segment?
However, I'm trying to understand what / how does the 0.0.0.0 Source mean.
A 0 number in the host octet of the IP address means a network address. This isn't routable outside the receiving subnet. 0.0.0.0 is a all bit's off (00000000 00000000 00000000 00000000) IP address and is invalid. Thus the sender of the packet either put that there on purpose to hide themselves or something is misconfigured. I think I have seen older RIP implementations use that as the source, but my memory is foggy, being early on a Friday and all :-(.
Is it something that we have mis-configuration?
Possibly. Is it broadcast traffic? No, broadcasts are all bits on in the host portion, or for a Ethernet broadcast 255.255.255.255.
Can I user my router to block this?
Yes, ACL it. If you have a Cisco router, *like you should :-)* just do this: access-list 101 deny IP 0.0.0.0 255.255.255.255 any log Then assign the list to the appropriate interface and direction.
.. all normal questions to defend my assets..
Normal, what you think this is normal *ahhhhhhhh*. *OUT* Shawn Jackson Systems Administrator Horizon USA 1190 Trademark Dr #107 Reno NV 89521 www.horizonusa.com Email: sjackson () horizonusa com Phone: (775) 858-2338 (800) 325-1199 x338 Fax: (775) 858-2330
Current thread:
- RE: 0.0.0.0 Probes, (continued)
- RE: 0.0.0.0 Probes David Gillett (Oct 22)
- Re: 0.0.0.0 Probes Miles Stevenson (Oct 22)
- RE: 0.0.0.0 Probes Keith Bucknall (Oct 25)
- RE: 0.0.0.0 Probes xyberpix (Oct 26)
- RE: 0.0.0.0 Probes Fook Ming EE (Oct 26)
- RE: 0.0.0.0 Probes David Gillett (Oct 22)