0.0.0.0 Probes

From: John Smithson (why1234_at_hotmail.com)
Date: 10/25/04

Next message: Beauford, Jason: "RE: Help, possible rootkit"

Previous message: Nicholson, Dale: "RE: Linux hacked"
Next in thread: Jorge Reyes: "RE: 0.0.0.0 Probes"
Maybe reply: Jorge Reyes: "RE: 0.0.0.0 Probes"
Maybe reply: Shawn Jackson: "RE: 0.0.0.0 Probes"
Maybe reply: Ghaith Nasrawi: "Re: 0.0.0.0 Probes"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: security-basics@securityfocus.com
Date: Mon, 25 Oct 2004 07:25:46 -0700

Thank you very much for everyone's input.

I'll do some sniffing :) and attempt to understand if there is a
misconfigured device on our network. Also, as some of you pointed out, I'll
have our router block the 0.0.0.0 and other private or public (but not
allocated) networks.

Life is full of strange network packets, we will take care one packet at a
time. :)

John

-------------------------
Gurus,

Over the last few days my external NIDS (outside firewall) has picked up
huge amount of HTTP Probe (over 50,000/day) with source IP address 0.0.0.0.
The destinations are every IP address on my public-DMZ. These are just HTTP
Probes. This traffic is being dropped by my firewalls. Internal IDS does
not show any of this event. Initially, I thought it was just normal scan,
but since it is occurring everyday with that high frequency, I got more
curious.

However, I'm trying to understand what / how does the 0.0.0.0 Source mean.
Could some of you kindly shed light on this fellow? I have googled it and
done normal research.. but still not 100% clear. Is it something that we
have mis-configuration? Is it broadcast traffic? Can I user my router to
block this? .. all normal questions to defend my assets..

Thank you,

John

_________________________________________________________________
Is your PC infected? Get a FREE online computer virus scan from McAfee®
Security. http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963

Next message: Beauford, Jason: "RE: Help, possible rootkit"

Previous message: Nicholson, Dale: "RE: Linux hacked"
Next in thread: Jorge Reyes: "RE: 0.0.0.0 Probes"
Maybe reply: Jorge Reyes: "RE: 0.0.0.0 Probes"
Maybe reply: Shawn Jackson: "RE: 0.0.0.0 Probes"
Maybe reply: Ghaith Nasrawi: "Re: 0.0.0.0 Probes"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: My Network Neighborhood is EMPTY
... Thanks John for this info... ... > with a misconfigured firewall can cause browser wars on the network ...
(microsoft.public.win2000.networking)
Re: Cable Modem Router problem
... :o) Glad you have it sorted, John. ... My network was working previously via Internet Sharing ... >>> router, all pc's can access the internet but cannot see each other on ...
(microsoft.public.windowsxp.general)
Re: NET USE in 2k3
... Security Options ... Network Security: Minimum session security for NTLM SSP (there will be one ... map a drive to a Cellera NAS server. ... "John Schneider" wrote: ...
(microsoft.public.windows.server.networking)
Re: SP1 and ICS
... John ... >I found this before when the Windows Firewall started causing issues, ... > ended up being firewall settings that weren't displayed in the gui to the ... All the network computer can access the ...
(microsoft.public.windows.server.general)
Re: LF Gain Stepping RC Network Calculator
... John and I see eye to eye on most things but alter ego I ... Gain Stepping RC Network Calculator" that I posted here about a month ... designs to stabilize them at low frequencies when applying NFB. ...
(rec.audio.tubes)