0.0.0.0 Probes

From: John Smithson (why1234_at_hotmail.com)
Date: 10/21/04

  • Next message: mike_at_genxweb.net: "RE: Linux hacked" 
    To: security-basics@securityfocus.com
Date: Thu, 21 Oct 2004 13:47:24 -0700

    Gurus,

    Over the last few days my external NIDS (outside firewall) has picked up
    huge amount of HTTP Probe (over 50,000/day) with source IP address 0.0.0.0.
    The destinations are every IP address on my public-DMZ. These are just HTTP
    Probes. This traffic is being dropped by my firewalls. Internal IDS does
    not show any of this event. Initially, I thought it was just normal scan,
    but since it is occurring everyday with that high frequency, I got more
    curious.

    However, I'm trying to understand what / how does the 0.0.0.0 Source mean.
    Could some of you kindly shed light on this fellow? I have googled it and
    done normal research.. but still not 100% clear. Is it something that we
    have mis-configuration? Is it broadcast traffic? Can I user my router to
    block this? .. all normal questions to defend my assets..

    Thank you,

    John

    _________________________________________________________________
    Check out Election 2004 for up-to-date election news, plus voter tools and
    more! http://special.msn.com/msn/election2004.armx

  • Next message: mike_at_genxweb.net: "RE: Linux hacked"