Security Basics mailing list archives

RE: 0.0.0.0 Probes

From: "Jorge Reyes" <Jorge.Reyes () Talaris com>
Date: Thu, 21 Oct 2004 19:14:38 -0700

On your router you can drop all packets without ip address.

ON a cisco router that will be like so


###############################################################
! Beginning of access-list 101
!
! Deny rfc 1918 addresses:
!
access-list 101 deny   ip 192.168.0.0 0.0.255.255 any log
access-list 101 deny   ip 172.16.0.0 0.15.255.255 any log
access-list 101 deny   ip 10.0.0.0 0.255.255.255 any log
!
! Deny packets with localhost, broadcast and multicast addresses:
!
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any log
access-list 101 deny   ip 255.0.0.0 0.255.255.255 any log
access-list 101 deny   ip 224.0.0.0 7.255.255.255 any log
!
! Deny packets without ip address.
!
access-list 101 deny   ip host 0.0.0.0 any log
!
!
! Apply access list to external interface:
!
ip access-group 101 in
!
! Use this command if you want to see denied hosts while
! logged into the router. Use command:
! "show ip accounting access-violations"
!
! ip accounting access-violations

###############################################################


On an Linux ipfawn

# Deny rfc 1918 addresses:
#
ipfwadm -I -a deny -Weth0 -S 10.0.0.0/8 -D $EXTIP -o
ipfwadm -I -a deny -Weth0 -S 172.16.0.0/12 -D $EXTIP -o
ipfwadm -I -a deny -Weth0 -S 192.168.0.0/16 -D $EXTIP -o
#
# Deny packets without ip address.
#
ipfwadm -I -a deny -Weth0 -S 0.0.0.0/32 -D $EXTIP -o

Jorge


-----Original Message-----
From: John Smithson [mailto:why1234 () hotmail com]
Sent: Thursday, October 21, 2004 1:47 PM
To: security-basics () securityfocus com
Subject: 0.0.0.0 Probes


Gurus,

Over the last few days my external NIDS (outside firewall) has picked up 
huge amount of HTTP Probe (over 50,000/day) with source IP address 0.0.0.0.  
The destinations are every IP address on my public-DMZ.  These are just HTTP 
Probes.  This traffic is being dropped by my firewalls. Internal IDS does 
not show any of this event.  Initially, I thought it was just normal scan, 
but since it is occurring everyday with that high frequency, I got more 
curious.

However, I'm trying to understand what / how does the 0.0.0.0 Source mean.  
Could some of you kindly shed light on this fellow?  I have googled it and 
done normal research.. but still not 100% clear.  Is it something that we 
have mis-configuration? Is it broadcast traffic? Can I user my router to 
block this?  .. all normal questions to defend my assets..

Thank you,

John

_________________________________________________________________
Check out Election 2004 for up-to-date election news, plus voter tools and 
more! http://special.msn.com/msn/election2004.armx

Current thread:

Re: 0.0.0.0 Probes, (continued)
- Re: 0.0.0.0 Probes Miles Stevenson (Oct 22)
  - RE: 0.0.0.0 Probes David Gillett (Oct 22)
    - Re: 0.0.0.0 Probes Miles Stevenson (Oct 22)
    - RE: 0.0.0.0 Probes Keith Bucknall (Oct 25)
    - RE: 0.0.0.0 Probes xyberpix (Oct 26)
    - RE: 0.0.0.0 Probes Fook Ming EE (Oct 26)
- RE: 0.0.0.0 Probes David Gillett (Oct 22)
- RE: 0.0.0.0 Probes Fook Ming EE (Oct 22)
- Re: 0.0.0.0 Probes Mike (Oct 25)
- Re: 0.0.0.0 Probes xyberpix (Oct 25)
- RE: 0.0.0.0 Probes Jorge Reyes (Oct 22)
- RE: 0.0.0.0 Probes Shawn Jackson (Oct 22)
- 0.0.0.0 Probes John Smithson (Oct 25)
- Re: 0.0.0.0 Probes Ghaith Nasrawi (Oct 30)