Security Basics mailing list archives

RE: 0.0.0.0 Probes

From: "David Gillett" <gillettdavid () fhda edu>
Date: Fri, 22 Oct 2004 08:31:24 -0700

  It means that whatever machine generated the traffic, it was
trying to hide its identity.

  Note that you cannot possibly send return packets to this address.
So I wouldn't call this a "probe", unless it was written by someone
who is still just learning how TCP/IP works.
  Earlier this week, I tracked down a worm on our network that was
generating packets with a source address of 0.0.0.0, and sending
them all to a specific address.  This is not a "probe", it's a 
"SYN flood" attack.  The attacker doesn't care that the destination 
can't reply, because he has no intention of ever completing the
TCP three-way handshake.

  If you're seeing traffic sourced from 0.0.0.0, the only 
"misconfiguration" is that nobody between you and the source is
doing anti-spoofing or egress filtering.  Dropping it at your
firewalls is the only sane thing to do.

David Gillett

-----Original Message-----
From: John Smithson [mailto:why1234 () hotmail com]
Sent: Thursday, October 21, 2004 1:47 PM
To: security-basics () securityfocus com
Subject: 0.0.0.0 Probes

Gurus,

Over the last few days my external NIDS (outside firewall) 
has picked up 
huge amount of HTTP Probe (over 50,000/day) with source IP 
address 0.0.0.0.  
The destinations are every IP address on my public-DMZ.  
These are just HTTP 
Probes.  This traffic is being dropped by my firewalls. 
Internal IDS does 
not show any of this event.  Initially, I thought it was just 
normal scan, 
but since it is occurring everyday with that high frequency, 
I got more 
curious.

However, I'm trying to understand what / how does the 0.0.0.0 
Source mean.  
Could some of you kindly shed light on this fellow?  I have 
googled it and 
done normal research.. but still not 100% clear.  Is it 
something that we 
have mis-configuration? Is it broadcast traffic? Can I user 
my router to 
block this?  .. all normal questions to defend my assets..

Thank you,

John

_________________________________________________________________
Check out Election 2004 for up-to-date election news, plus 
voter tools and 
more! http://special.msn.com/msn/election2004.armx

Current thread:

0.0.0.0 Probes John Smithson (Oct 21)
- Re: 0.0.0.0 Probes Miles Stevenson (Oct 22)
  - RE: 0.0.0.0 Probes David Gillett (Oct 22)
    - Re: 0.0.0.0 Probes Miles Stevenson (Oct 22)
    - RE: 0.0.0.0 Probes Keith Bucknall (Oct 25)
    - RE: 0.0.0.0 Probes xyberpix (Oct 26)
    - RE: 0.0.0.0 Probes Fook Ming EE (Oct 26)
- RE: 0.0.0.0 Probes David Gillett (Oct 22)
- RE: 0.0.0.0 Probes Fook Ming EE (Oct 22)
- Re: 0.0.0.0 Probes Mike (Oct 25)
- Re: 0.0.0.0 Probes xyberpix (Oct 25)
- <Possible follow-ups>
- RE: 0.0.0.0 Probes Jorge Reyes (Oct 22)
- RE: 0.0.0.0 Probes Shawn Jackson (Oct 22)
- 0.0.0.0 Probes John Smithson (Oct 25)
- Re: 0.0.0.0 Probes Ghaith Nasrawi (Oct 30)