Re: 0.0.0.0 Probes

["Mike" <securitybasics () infinity77 net>]

I recommend setting up acl on the router with anti-bogon list so that not
only 0.0.0.0 gets stopped, but you can drop packets for any ip block that
arin has not assigned.

----- Original Message ----- 
From: "John Smithson" <why1234 () hotmail com>
To: <security-basics () securityfocus com>
Sent: Thursday, October 21, 2004 4:47 PM
Subject: 0.0.0.0 Probes


> Gurus,
>
> Over the last few days my external NIDS (outside firewall) has picked up
> huge amount of HTTP Probe (over 50,000/day) with source IP address
0.0.0.0.
> The destinations are every IP address on my public-DMZ.  These are just
HTTP
> Probes.  This traffic is being dropped by my firewalls. Internal IDS does
> not show any of this event.  Initially, I thought it was just normal scan,
> but since it is occurring everyday with that high frequency, I got more
> curious.
>
> However, I'm trying to understand what / how does the 0.0.0.0 Source mean.
> Could some of you kindly shed light on this fellow?  I have googled it and
> done normal research.. but still not 100% clear.  Is it something that we
> have mis-configuration? Is it broadcast traffic? Can I user my router to
> block this?  .. all normal questions to defend my assets..
>
> Thank you,
>
> John
>
> _________________________________________________________________
> Check out Election 2004 for up-to-date election news, plus voter tools and
> more! http://special.msn.com/msn/election2004.armx