Security Incidents mailing list archives

Re: Ip spoof from 0.0.0.0

From: "Jason Robertson" <jason () ifuture com>
Date: Thu, 07 Nov 2002 22:16:46 -0500

For all of you who want the list of bogus IP's

http://www.cymru.com/Documents/bogon-list.html

As for 0.0.0.0, it is used for DHCP, but it shouldn't go beyond your 
gateway, or anyone elses.

Also the addressing is usually 0.0.0.0 -> 255.255.255.255 67 
At least on our network at work...

On 6 Nov 2002 at 23:53, Nexus wrote:

From:                   "Nexus" <nexus () patrol i-way co uk>
To:                     "Frank Cheong" <chocobofrank () hotmail com>,
        "Paul Gillingwater" <paul () lanifex com>
Copies to:              <incidents () securityfocus com>
Subject:                Re: Ip spoof from 0.0.0.0
Date sent:              Wed, 6 Nov 2002 23:53:10 -0000


----- Original Message -----
From: "Paul Gillingwater" <paul () lanifex com>
To: "Frank Cheong" <chocobofrank () hotmail com>
Cc: <incidents () securityfocus com>
Sent: Wednesday, November 06, 2002 7:08 PM
Subject: Re: Ip spoof from 0.0.0.0

[snip]

your router, not the remote attacker.  The best you could do is ask your
upstream ISP to filter outgoing traffic to drop IP packets with invalid
source addresses like 0.0.0.0.

[snip]

Good advice, also good luck ;-)
Try (tcp)tracerouting to RFC1918 addresses or IANA reserved netblocks
through ISP's - quite scary how far you get sometimes before somebody with
clue > 0 has been at the router configs and it gets dropped...

Cheers.


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com



--
Jason Robertson                
Now at the Nation Research Council.



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

Re: Ip spoof from 0.0.0.0, (continued)
- Re: Ip spoof from 0.0.0.0 Pavel Kankovsky (Nov 06)
  - RE: Ip spoof from 0.0.0.0 Omar Herrera (Nov 07)
    - RE: Ip spoof from 0.0.0.0 Russell Fulton (Nov 07)
- RE: Ip spoof from 0.0.0.0 Omar Herrera (Nov 07)
- Re: Ip spoof from 0.0.0.0 Mike Maxwell (Nov 09)
- Re: Ip spoof from 0.0.0.0 Frank Cheong (Nov 06)
  - Re: Ip spoof from 0.0.0.0 Mike Lewinski (Nov 06)
  - Re: Ip spoof from 0.0.0.0 Paul Gillingwater (Nov 06)
    - Re: Ip spoof from 0.0.0.0 Nexus (Nov 07)
    - Re: Ip spoof from 0.0.0.0 batz (Nov 07)
    - Re: Ip spoof from 0.0.0.0 Jason Robertson (Nov 08)
- Re: Ip spoof from 0.0.0.0 David Gillett (Nov 08)
- Re: Ip spoof from 0.0.0.0 Hernan Otero (Nov 08)
- RE: Ip spoof from 0.0.0.0 Onsite West Houston (Nov 11)
- RE: Ip spoof from 0.0.0.0 Ingersoll, Jared (Nov 11)
- RE: Ip spoof from 0.0.0.0 Steenbergen, Dennis, Contractor (Nov 12)