RE: 0.0.0.0 Probes
From: Shawn Jackson (sjackson_at_horizonusa.com)
Date: 10/22/04
- Previous message: Joe Polk: "Re: Is this normal?"
- Maybe in reply to: John Smithson: "0.0.0.0 Probes"
- Next in thread: Ghaith Nasrawi: "Re: 0.0.0.0 Probes"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 22 Oct 2004 08:19:52 -0700 To: "John Smithson" <why1234@hotmail.com>, <security-basics@securityfocus.com>
> huge amount of HTTP Probe (over 50,000/day) with source IP
> address 0.0.0.0.
Welcome to the club, enjoy the stay.
> This traffic is being dropped by my firewalls. Internal IDS does
> not show any of this event.
That's good. Seaming my aunt with a fan could block that kind of traffic
:-).
> Initially, I thought it was just normal scan,
> but since it is occurring everyday with that high frequency,
> I got more curious.
0.0.0.0 is a all bit's off address or a network address, depending on
the mask. It's not routable, over the internet, thus cannot be a scan
because the sender won't get any replies. Someone is just hammering your
for some reason, could even be a misconfigured piece of equipment. Have
you checked the hardware address? Compared it to other equipment on the
segment?
> However, I'm trying to understand what / how does the 0.0.0.0
> Source mean.
A 0 number in the host octet of the IP address means a network address.
This isn't routable outside the receiving subnet. 0.0.0.0 is a all bit's
off (00000000 00000000 00000000 00000000) IP address and is invalid.
Thus the sender of the packet either put that there on purpose to hide
themselves or something is misconfigured. I think I have seen older RIP
implementations use that as the source, but my memory is foggy, being
early on a Friday and all :-(.
> Is it something that we have mis-configuration?
Possibly.
Is it broadcast traffic?
No, broadcasts are all bits on in the host portion, or for a Ethernet
broadcast 255.255.255.255.
> Can I user my router to block this?
Yes, ACL it. If you have a Cisco router, *like you should :-)* just do
this:
access-list 101 deny IP 0.0.0.0 255.255.255.255 any log
Then assign the list to the appropriate interface and direction.
> .. all normal questions to defend my assets..
Normal, what you think this is normal *ahhhhhhhh*.
*OUT*
Shawn Jackson
Systems Administrator
Horizon USA
1190 Trademark Dr #107
Reno NV 89521
www.horizonusa.com
Email: sjackson@horizonusa.com
Phone: (775) 858-2338
(800) 325-1199 x338
Fax: (775) 858-2330
- Previous message: Joe Polk: "Re: Is this normal?"
- Maybe in reply to: John Smithson: "0.0.0.0 Probes"
- Next in thread: Ghaith Nasrawi: "Re: 0.0.0.0 Probes"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
