RE: 0.0.0.0 Probes

• Previous message: H Carvey: "Re: Is this normal?"
• In reply to: Keith Bucknall: "RE: 0.0.0.0 Probes"
• Next in thread: David Gillett: "RE: 0.0.0.0 Probes"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: <keith.bucknall@zen.co.uk>, <miles@mstevenson.org>, <security-basics@securityfocus.com>, <gillettdavid@fhda.edu>
Date: Tue, 26 Oct 2004 13:24:21 +0800

You may want to check the DHCP config of the server is proper and also check
client IP config to make sure that client side IP is not statically
configured. PPP would take precedence to dynamically allocate source IP to
clients that connect to VPN servers, as this is the usual setup.

-----Original Message-----
From: Keith Bucknall [mailto:keith.bucknall@zen.co.uk]
Sent: Saturday, October 23, 2004 6:52 PM
To: miles@mstevenson.org; security-basics@securityfocus.com;
gillettdavid@fhda.edu
Cc: 'John Smithson'
Subject: RE: 0.0.0.0 Probes

Dear All,

I am trying to troubleshoot a problem we have, on a particular site they use
a PPTP VPN connection to our office, at present we just use Windows XP DUN
for this - I will be changing this soon to a IPSEC tunnel but just need to
get this working.

When use A dials the VPN server they connect without a problem and the VPN
registers as established. But then the next day when User B tries on our
VPN server it displays his source address as 0.0.0.0 and then refuses the
connection, User A tries and I get his original source IP. This only
displays a source IP as 0.0.0.0 for User B...

Would this mean that his PC could be infected with a worm that is trying to
hide the course IP.

Kind Regards

Keith

-----Original Message-----
From: Miles Stevenson [mailto:miles@mstevenson.org]
Sent: 22 October 2004 19:02
To: security-basics@securityfocus.com; gillettdavid@fhda.edu
Cc: 'John Smithson'
Subject: Re: 0.0.0.0 Probes

David,

<snip>
> These packets are not *to* 0.0.0.0; they just claim to be
> *from* there. Unless a router is specifically configured to
> check the source address for validity, it won't care. (The
> RFC passage you quote prevents attempts to *reply* to such
> packets from saturating the whole Internet.)
</snip>

Agreed. Thank you for the correction.

>"..SHOULD NOT originate datagrams addressed to 0.0.0.0".

Use of the words "originate" and "to" in the same phrase to represent
traffic
flow seems, at first glance, to be in conflict with each other, and is
likely
the source of my misinterpretation.

Another example of the importance of semantics when then intention is to
communicate accurately.

-- 
Miles Stevenson
miles@mstevenson.org
PGP FP: 035F 7D40 44A9 28FA 7453 BDF4 329F 889D 767D 2F63

• Previous message: H Carvey: "Re: Is this normal?"
• In reply to: Keith Bucknall: "RE: 0.0.0.0 Probes"
• Next in thread: David Gillett: "RE: 0.0.0.0 Probes"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]