RE: 0.0.0.0 Probes

["Fook Ming EE" <eeefm () singnet com sg>]

Hi John, 

Some probing tools can fake the source IP so that you won't know where the
attacks are from or someone else IPs were being use. Generally, 0.0.0.0
means the "World". Remember usually your default router is 0.0.0.0 follow by
gateway to the Internet. 

It is not a broadcast traffic but targeted attacks. 

I think you mentioned that your firewall is already dropping these packets.
Or you can configure drop these packets with source 0.0.0.0

I hope this helps!

Cheers,
EFM


-----Original Message-----
From: John Smithson [mailto:why1234 () hotmail com] 
Sent: Friday, October 22, 2004 4:47 AM
To: security-basics () securityfocus com
Subject: 0.0.0.0 Probes

Gurus,

Over the last few days my external NIDS (outside firewall) has picked up 
huge amount of HTTP Probe (over 50,000/day) with source IP address 0.0.0.0.

The destinations are every IP address on my public-DMZ.  These are just HTTP

Probes.  This traffic is being dropped by my firewalls. Internal IDS does 
not show any of this event.  Initially, I thought it was just normal scan, 
but since it is occurring everyday with that high frequency, I got more 
curious.

However, I'm trying to understand what / how does the 0.0.0.0 Source mean.  
Could some of you kindly shed light on this fellow?  I have googled it and 
done normal research.. but still not 100% clear.  Is it something that we 
have mis-configuration? Is it broadcast traffic? Can I user my router to 
block this?  .. all normal questions to defend my assets..

Thank you,

John

_________________________________________________________________
Check out Election 2004 for up-to-date election news, plus voter tools and 
more! http://special.msn.com/msn/election2004.armx