Security Incidents mailing list archives

Re: Ip spoof from 0.0.0.0

From: Olaf Schreck <chakl () syscall de>
Date: Tue, 5 Nov 2002 00:24:53 +0100

Jared,

I was hoping someone could tell me whether this is a misconfigured device
(perhaps) or is this activity I should be concerned with (and please keep

Nov  1 01:42:44 2U:10.1.1.1 Nov 01 2002 01:50:32: %PIX-2-106016: Deny IP
spoof from (0.0.0.0) to x.x.x.5


too bad these Pix logs don't show the attempted destination port.  

We have seen similar things lately, TCP/445 slow scans from 0.0.0.0.  
I'm not at work currently, sorry no tracefiles.  Looks like some sort 
port 445 harvesting to me at first glance.

Definitely a red bulled on my watchlist.


ciao,
chakl


On Mon, Nov 04, 2002 at 04:27:35PM -0500, Ingersoll, Jared wrote:

any witless banter regarding my use of 'concerned with' to yourself-
thanks!). 

These are SYSLOG entries from my firewall (PIX). (the x.x.x.X are static
address on the external interface).

-Jared

urchin 7% grep spoof oSYSLOG


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

Ip spoof from 0.0.0.0 Ingersoll, Jared (Nov 04)
- Re: Ip spoof from 0.0.0.0 Olaf Schreck (Nov 04)
  - Message not available
    - Re: Ip spoof from 0.0.0.0 Mike Lewinski (Nov 05)
    - Re: Ip spoof from 0.0.0.0 Crist J. Clark (Nov 06)
- Re: Ip spoof from 0.0.0.0 Pavel Kankovsky (Nov 06)
  - RE: Ip spoof from 0.0.0.0 Omar Herrera (Nov 07)
    - RE: Ip spoof from 0.0.0.0 Russell Fulton (Nov 07)
- RE: Ip spoof from 0.0.0.0 Omar Herrera (Nov 07)
- Re: Ip spoof from 0.0.0.0 Mike Maxwell (Nov 09)
- <Possible follow-ups>
- Re: Ip spoof from 0.0.0.0 Frank Cheong (Nov 06)
  - Re: Ip spoof from 0.0.0.0 Mike Lewinski (Nov 06)
  - Re: Ip spoof from 0.0.0.0 Paul Gillingwater (Nov 06)

(Thread continues...)