RE: Ip spoof from 0.0.0.0

From: Omar Herrera (oherrera@prodigy.net.mx)
Date: 11/07/02


Date: Wed, 06 Nov 2002 18:40:37 -0600
From: Omar Herrera <oherrera@prodigy.net.mx>
To: incidents@securityfocus.com


 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Also, you might want to check the following page:
http://www.sans.org/newlook/resources/SMJ/week35.htm

This describes a test DoS performed by someone on its own network
using TCP-SYN packets and a spoofed address of 0.0.0.0.

Omar Herrera

- -----Original Message-----
From: Ingersoll, Jared [mailto:jared@cswv.com]
Sent: Lunes, 04 de Noviembre de 2002 03:28 p.m.
To: incidents@securityfocus.com
Subject: Ip spoof from 0.0.0.0

I was hoping someone could tell me whether this is a misconfigured
device
(perhaps) or is this activity I should be concerned with (and please
keep
any witless banter regarding my use of 'concerned with' to yourself-
thanks!).

These are SYSLOG entries from my firewall (PIX). (the x.x.x.X are
static
address on the external interface).

- -Jared

urchin 7% grep spoof oSYSLOG
Nov 1 01:42:44 2U:10.1.1.1 Nov 01 2002 01:50:32: %PIX-2-106016: Deny
IP
spoof from (0.0.0.0) to x.x.x.5
Nov 1 01:58:04 2U:10.1.1.1 Nov 01 2002 02:05:51: %PIX-2-106016: Deny
IP
spoof from (0.0.0.0) to x.x.x.34
Nov 1 02:41:50 2U:10.1.1.1 Nov 01 2002 02:49:37: %PIX-2-106016: Deny
IP
spoof from (0.0.0.0) to x.x.x.37
Nov 1 04:36:35 2U:10.1.1.1 Nov 01 2002 04:44:22: %PIX-2-106016: Deny
IP
spoof from (0.0.0.0) to x.x.x.19
Nov 1 08:18:42 2U:10.1.1.1 Nov 01 2002 08:26:30: %PIX-2-106016: Deny
IP
spoof from (0.0.0.0) to x.x.x.16
Nov 1 08:27:31 2U:10.1.1.1 Nov 01 2002 08:35:19: %PIX-2-106016: Deny
IP
spoof from (0.0.0.0) to x.x.x.32
Nov 1 09:32:08 2U:10.1.1.1 Nov 01 2002 09:39:56: %PIX-2-106016: Deny
IP
spoof from (0.0.0.0) to x.x.x.33
Nov 1 10:42:02 2U:10.1.1.1 Nov 01 2002 10:49:48: %PIX-2-106016: Deny
IP
spoof from (0.0.0.0) to x.x.x.34
Nov 1 18:33:05 2U:10.1.1.1 Nov 01 2002 18:40:51: %PIX-2-106016: Deny
IP
spoof from (0.0.0.0) to x.x.x.21
Nov 2 00:10:06 2U:10.1.1.1 Nov 02 2002 00:17:53: %PIX-2-106016: Deny
IP
spoof from (0.0.0.0) to x.x.x.7
Nov 2 01:54:34 2U:10.1.1.1 Nov 02 2002 02:02:20: %PIX-2-106016: Deny
IP
spoof from (0.0.0.0) to x.x.x.35
Nov 2 08:22:47 2U:10.1.1.1 Nov 02 2002 08:30:33: %PIX-2-106016: Deny
IP
spoof from (0.0.0.0) to x.x.x.21
Nov 2 16:18:40 2U:10.1.1.1 Nov 02 2002 16:26:29: %PIX-2-106016: Deny
IP
spoof from (0.0.0.0) to x.x.x.33
Nov 2 20:33:58 2U:10.1.1.1 Nov 02 2002 20:41:45: %PIX-2-106016: Deny
IP
spoof from (0.0.0.0) to x.x.x.22
Nov 2 22:31:45 2U:10.1.1.1 Nov 02 2002 22:39:34: %PIX-2-106016: Deny
IP
spoof from (0.0.0.0) to x.x.x.15
urchin 8% grep spoof SYSLOG
Nov 3 03:49:52 2U:10.1.1.1 Nov 03 2002 03:57:39: %PIX-2-106016: Deny
IP
spoof from (0.0.0.0) to x.x.x.33
Nov 3 06:58:18 2U:10.1.1.1 Nov 03 2002 07:06:07: %PIX-2-106016: Deny
IP
spoof from (0.0.0.0) to x.x.x.37
Nov 3 08:06:33 2U:10.1.1.1 Nov 03 2002 08:14:21: %PIX-2-106016: Deny
IP
spoof from (0.0.0.0) to x.x.x.22
Nov 3 12:32:45 2U:10.1.1.1 Nov 03 2002 12:40:34: %PIX-2-106016: Deny
IP
spoof from (0.0.0.0) to x.x.x.15
Nov 3 16:51:02 2U:10.1.1.1 Nov 03 2002 16:58:50: %PIX-2-106016: Deny
IP
spoof from (0.0.0.0) to x.x.x.30
Nov 3 19:30:21 2U:10.1.1.1 Nov 03 2002 19:38:11: %PIX-2-106016: Deny
IP
spoof from (0.0.0.0) to x.x.x.39
Nov 3 21:04:12 2U:10.1.1.1 Nov 03 2002 21:12:00: %PIX-2-106016: Deny
IP
spoof from (0.0.0.0) to x.x.x.33
Nov 4 00:31:34 2U:10.1.1.1 Nov 04 2002 00:39:24: %PIX-2-106016: Deny
IP
spoof from (0.0.0.0) to x.x.x.5
Nov 4 03:06:55 2U:10.1.1.1 Nov 04 2002 03:14:44: %PIX-2-106016: Deny
IP
spoof from (0.0.0.0) to x.x.x.12
Nov 4 03:16:12 2U:10.1.1.1 Nov 04 2002 03:24:01: %PIX-2-106016: Deny
IP
spoof from (0.0.0.0) to x.x.x.15
Nov 4 04:03:17 2U:10.1.1.1 Nov 04 2002 04:11:05: %PIX-2-106016: Deny
IP
spoof from (0.0.0.0) to x.x.x.13
Nov 4 04:08:19 2U:10.1.1.1 Nov 04 2002 04:16:08: %PIX-2-106016: Deny
IP
spoof from (0.0.0.0) to x.x.x.16
Nov 4 04:21:53 2U:10.1.1.1 Nov 04 2002 04:29:41: %PIX-2-106016: Deny
IP
spoof from (0.0.0.0) to x.x.x.30
Nov 4 05:27:16 2U:10.1.1.1 Nov 04 2002 05:35:04: %PIX-2-106016: Deny
IP
spoof from (0.0.0.0) to x.x.x.30
Nov 4 08:38:26 2U:10.1.1.1 Nov 04 2002 08:46:16: %PIX-2-106016: Deny
IP
spoof from (0.0.0.0) to x.x.x.34
Nov 4 13:33:28 2U:10.1.1.1 Nov 04 2002 13:41:18: %PIX-2-106016: Deny
IP
spoof from (0.0.0.0) to x.x.x.19

- ----------------------------------------------------------------------
- ------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0.4

iQA/AwUBPcm2hKxc3R1o/elHEQLaiwCgls/RilwdpwSKO1PJEu2u1Ae2bg8Anj+Y
Cqf3KDCuK00Rrvdo9TiQbF5U
=JaE9
-----END PGP SIGNATURE-----

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com



Relevant Pages

  • Re: Ip spoof from 0.0.0.0
    ... >spoof from to x.x.x.5 ... >For more information on this free incident handling, management ... >and tracking system please see: http://aris.securityfocus.com ...
    (Incidents)
  • Re: Ip spoof from 0.0.0.0
    ... I assume it is some type of port harvesting ... > spoof from to x.x.x.5 ... > For more information on this free incident handling, management ... > and tracking system please see: http://aris.securityfocus.com ...
    (Incidents)
  • RE: A small quandary
    ... This list is provided by the SecurityFocus ARIS analyzer service. ... and tracking system please see: http://aris.securityfocus.com ... For more information on this free incident handling, management ...
    (Incidents)
  • RE: Anyone seen this before?
    ... The answer to this is, in task manager, you can right click on any app ... > For more information on this free incident handling, management ... > and tracking system please see: http://aris.securityfocus.com ...
    (Incidents)
  • Re: fbi.gov weirdness?
    ... > This list is provided by the SecurityFocus ARIS analyzer service. ... > For more information on this free incident handling, management ... > and tracking system please see: http://aris.securityfocus.com ...
    (Incidents)