RE: 0.0.0.0 Probes

From: Jorge Reyes (Jorge.Reyes_at_Talaris.com)
Date: 10/22/04

Next message: Carolyn Ryll: "FW: breakout of citrix"

Previous message: Kenzo: "Re: breakout of citrix"
Maybe in reply to: John Smithson: "0.0.0.0 Probes"
Next in thread: David Gillett: "RE: 0.0.0.0 Probes"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Thu, 21 Oct 2004 19:14:38 -0700
To: <security-basics@securityfocus.com>

On your router you can drop all packets without ip address.

ON a cisco router that will be like so

###############################################################
! Beginning of access-list 101
!
! Deny rfc 1918 addresses:
!
access-list 101 deny ip 192.168.0.0 0.0.255.255 any log
access-list 101 deny ip 172.16.0.0 0.15.255.255 any log
access-list 101 deny ip 10.0.0.0 0.255.255.255 any log
!
! Deny packets with localhost, broadcast and multicast addresses:
!
access-list 101 deny ip 127.0.0.0 0.255.255.255 any log
access-list 101 deny ip 255.0.0.0 0.255.255.255 any log
access-list 101 deny ip 224.0.0.0 7.255.255.255 any log
!
! Deny packets without ip address.
!
access-list 101 deny ip host 0.0.0.0 any log
!
!
! Apply access list to external interface:
!
ip access-group 101 in
!
! Use this command if you want to see denied hosts while
! logged into the router. Use command:
! "show ip accounting access-violations"
!
! ip accounting access-violations

###############################################################

On an Linux ipfawn

# Deny rfc 1918 addresses:
#
ipfwadm -I -a deny -Weth0 -S 10.0.0.0/8 -D $EXTIP -o
ipfwadm -I -a deny -Weth0 -S 172.16.0.0/12 -D $EXTIP -o
ipfwadm -I -a deny -Weth0 -S 192.168.0.0/16 -D $EXTIP -o
#
# Deny packets without ip address.
#
ipfwadm -I -a deny -Weth0 -S 0.0.0.0/32 -D $EXTIP -o

Jorge

-----Original Message-----
From: John Smithson [mailto:why1234@hotmail.com]
Sent: Thursday, October 21, 2004 1:47 PM
To: security-basics@securityfocus.com
Subject: 0.0.0.0 Probes

Gurus,

Over the last few days my external NIDS (outside firewall) has picked up
huge amount of HTTP Probe (over 50,000/day) with source IP address 0.0.0.0.
The destinations are every IP address on my public-DMZ. These are just HTTP
Probes. This traffic is being dropped by my firewalls. Internal IDS does
not show any of this event. Initially, I thought it was just normal scan,
but since it is occurring everyday with that high frequency, I got more
curious.

However, I'm trying to understand what / how does the 0.0.0.0 Source mean.
Could some of you kindly shed light on this fellow? I have googled it and
done normal research.. but still not 100% clear. Is it something that we
have mis-configuration? Is it broadcast traffic? Can I user my router to
block this? .. all normal questions to defend my assets..

Thank you,

John

_________________________________________________________________
Check out Election 2004 for up-to-date election news, plus voter tools and
more! http://special.msn.com/msn/election2004.armx

Next message: Carolyn Ryll: "FW: breakout of citrix"

Previous message: Kenzo: "Re: breakout of citrix"
Maybe in reply to: John Smithson: "0.0.0.0 Probes"
Next in thread: David Gillett: "RE: 0.0.0.0 Probes"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]