Re: Ip spoof from 0.0.0.0

From: Pavel Kankovsky (peak@argo.troja.mff.cuni.cz)
Date: 11/06/02


From: "Pavel Kankovsky" <peak@argo.troja.mff.cuni.cz>
Date: Wed, 6 Nov 2002 01:34:51 +0100 (CET)
To: incidents@securityfocus.com

On Mon, 4 Nov 2002, Ingersoll, Jared wrote:

> Nov 1 01:42:44 2U:10.1.1.1 Nov 01 2002 01:50:32: %PIX-2-106016: Deny IP
> spoof from (0.0.0.0) to x.x.x.5

We're seeing them too, since Nov 1 03:30 GMT, approx. 150 per a day.
TCP SYNs to port 445 on different IPs. An interesting detail is that all
of them have IP ID == 256. TTL appears to vary between 108 and 113.

--Pavel Kankovsky aka Peak
"Welcome to the Czech Republic. Bring your own lifeboats."

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com



Relevant Pages

  • RE: ICMP (Ping)
    ... Why do you assume that out of millions of Ips that respond, ... > almost) running a port scan those that reply. ... replies from a ping request. ... IP ranges with no target in mind, ...
    (Security-Basics)
  • RE: IPS and Trunking
    ... Cisco does offer an "IPS on a stick" feature and is what the OP is ... You create another vlan on the switch. ... You convert one of the ports to a trunk port and plug the IPS ...
    (Focus-IDS)
  • Re: Port Scanning
    ... Most IPS admins do not block port scans. ... > essentially adding rules that the attacker has ... > customer works primarily with a particular remote ...
    (Pen-Test)
  • Re: Port watching tool
    ... Active Ports only shows one connection to port 25 (which I am trying to ... I am finding certain IPs to be ... generating large numbers of SMTP connections to the server, ... Symantec is the Diamond sponsor. ...
    (Security-Basics)
  • Re: Source Port 0 Host Sweep
    ... I had seen applications request port 0 when they really wanted the ... I have about 4 or 5 different internal IPs that are behaving this way. ... > I'm not sure if this applies in your case, however I've seen ACK ...
    (Security-Basics)