Re: Strange TCP Sweep to 0.0.0.0

["jared mc" <bugtraqlist () hotmail com>]

We have found the same thing with our Cisco IDS systems.  I was able to 
recreate this 0.0.0.0 bug when I would use Nmap SYN scans to browse through 
our network.  The data was sent into Cisco and I believe they knew it was a 
bug with their latest update.  I have no idea if/when a bug fix will be 
released  :)

-Jared


> From: "Geoff Poer" <gpoer () tick Telcom Arizona EDU>
> Reply-To: <gpoer () tick telcom arizona edu>
> To: <incidents () securityfocus com>
> Subject: Strange TCP Sweep to 0.0.0.0
> Date: Fri, 9 Nov 2001 10:34:30 -0700
>
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Our Cisco Secure IDS (that lives outside the firewall) is picking up
> some strange traffic off one of our Netscreen Firewalls.  The Src
> addresses are the un-trusted interface addresses assigned to the
> Netscreen. Has any one seen something like this before? Is it a bug
> or am I seeing something interesting?
>
> Date Sensor Signature Sub Sig Description Severity Src Address Src
> Port Dst Address Dst Port
> 2001-10-26 08:51:24 3 3030 0 TCP SYN Host Sweep 2 my.net.com 2028
> 0.0.0.0 0
> 2001-10-26 08:55:24 3 3030 0 TCP SYN Host Sweep 2 my.net.com 1610
> 0.0.0.0 0
> 2001-10-26 09:17:24 3 3030 0 TCP SYN Host Sweep 2 my.net.com 1100
> 0.0.0.0 0
> 2001-10-26 09:21:20 3 3030 0 TCP SYN Host Sweep 2 my.net.com 1058
> 0.0.0.0 0
> 2001-10-26 09:23:21 3 3030 0 TCP SYN Host Sweep 2 my.net.com 1707
> 0.0.0.0 0
> 2001-10-26 09:25:23 3 3030 0 TCP SYN Host Sweep 2 my.net.com 1133
> 0.0.0.0 0
> 2001-10-26 09:27:21 3 3030 0 TCP SYN Host Sweep 2 my.net.com 1959
> 0.0.0.0 0
> 2001-10-26 10:33:21 3 3030 0 TCP SYN Host Sweep 2 my.net.com 1448
> 0.0.0.0 0
> - --------Cut--------
>
> (other address assigned to interface)
> 2001-11-02 09:24:24 3 3030 0 TCP SYN Host Sweep 2 my2.net.com 1886
> 0.0.0.0 0
> 2001-11-02 09:54:20 3 3030 0 TCP SYN Host Sweep 2 my2.net.com 1197
> 0.0.0.0 0
> 2001-11-02 10:48:23 3 3030 0 TCP SYN Host Sweep 2 my2.net.com 1779
> 0.0.0.0 0
> 2001-11-02 11:29:24 3 3030 0 TCP SYN Host Sweep 2 my2.net.com 1152
> 0.0.0.0 0
> 2001-11-02 11:49:20 3 3030 0 TCP SYN Host Sweep 2 my2.net.com 1286
> 0.0.0.0 0
>
> What ever it is it is not terribly fast. The dates are inconsistent
> in this email but they are actually occurring everyday with similar
> frequency.
>
> thanks,
> Geoff
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>
>
> iQA/AwUBO+wRgnJYBcIyrSGLEQJBNgCg4BuqFioMAitq5Lk+3qTiLYk6lbwAn33p
> iesT5XGxthCxSARQdCQYKpaL
> =Zj26
> -----END PGP SIGNATURE-----
>
>
> ----------------------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com


_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com