Re: 0.0.0.0 Probes

From: Miles Stevenson (miles_at_mstevenson.org)
Date: 10/22/04

  • Next message: Jeff Gercken: "RE: Netopia Routers" 
    To: security-basics@securityfocus.com
Date: Thu, 21 Oct 2004 22:58:52 -0400

    Hello John,

    According to RFC 1812, all routers "SHOULD NOT originate datagrams addressed
    to 0.0.0.0". This leads me to believe that these packets are coming from your
    local ISP's network. However, the RFC goes on to state :

    "There MAY be a configuration option to allow generation of these packets
    (instead of using the relevant 1s format broadcast). This option SHOULD
    default to not generating them."

    -which opens up a loophole for routers to do just that. This could also be a
    configuration problem with your ISP's router.

    Other than that, I can't really help you identify the purpose of these packets
    without more information. Would it be possible for you to provide me with a
    full packet capture of these (off-list of course)? I can then post a more
    in-depth analysis of that capture, scrubbing all appropriate information from
    the post (IP and MAC addresses, etc). Of course, anything you want me to keep
    confidential will be honored.

    You can take a capture of this traffic with the following command on your
    firewall (running as root):
    tcpdump -nS -i eth0 -w capture.dump host 0.0.0.0 &

    (where "eth0" is the ethernet device facing your ISP's network, and
    "capture.dump" is the file to save the data to).

    The process should detatch, and run in the background. Go ahead and let it run
    for a while to capture data. Periodically check your "capture.dump" file with
    the command:

    ls -alh

    Please don't let the file grow over 50k of data. Once you get close to this
    number, go ahead and kill the tcpdump process:

    killall tcpdump

    It also wouldn't hurt to submit this to the ISC Handlers at www.incidents.org

    Of course you can and SHOULD use your router/firewall/filtering device to
    block such traffic. It it definitely not legitimate. This doesn't necessarily
    mean that it is malicious, but you should be blocking it regardless.

    Cheers. 

    -- 
Miles Stevenson
miles@mstevenson.org
PGP FP: 035F 7D40 44A9 28FA 7453 BDF4 329F 889D 767D 2F63

  • Next message: Jeff Gercken: "RE: Netopia Routers"

    Relevant Pages

    • Re: Routing problems
      ... and is why we can't set them to the WAN routers for direct access (the ... Sprint routers only have routes to the main office and the two branches, ... Linux box here, it has two NICs in it, one on the .1 subnet and one on the ... > routers forward packets to the routers in your main office. ...
      (comp.os.linux.networking)
    • Re: Does QOS on an 828 or 837 actually achieve anything?
      ... > SDSL VPN, and inevitably they occasionally get sound quality problems. ... > - all the public Internet routers between the two sites will ignore any ... > settings on packets I generate ... > If I understand correctly I can use QOS on the router to control how the ...
      (comp.dcom.sys.cisco)
    • Re: email disappearing
      ... > routing the packets into the NTL/Telewest network when it should have gone ... suggest they should be able to route them to their destination, ... they'd fail at the first NTL/TW router. ... packets being bounced between 2 routers, if the NTL/TW network was trying to ...
      (uk.telecom.broadband)
    • Re: Carp: checksum failed on em0
      ... I captured the packets with tcpdump which resulted in some announces from an IP transit provider. ... R> I have 2 routers running carp: ... tcpdump and capture the CARP announces. ...
      (freebsd-net)
    • RE: [despammed] [Full-Disclosure] Win32 Cisco Exploit
      ... Didnt see any suspect packets on tcp or udp didn't check other ... I just tested it against one of my test cisco routers. ... > According to protocol trace file analysis it does generate the correct ... > Subject: [Full-Disclosure] Win32 Cisco Exploit ...
      (Full-Disclosure)