Security Basics mailing list archives
RE: 0.0.0.0 Probes
From: "David Gillett" <gillettdavid () fhda edu>
Date: Fri, 22 Oct 2004 10:38:38 -0700
According to RFC 1812, all routers "SHOULD NOT originate datagrams addressed to 0.0.0.0". This leads me to believe that these packets are coming from your local ISP's network.
These packets are not *to* 0.0.0.0; they just claim to be *from* there. Unless a router is specifically configured to check the source address for validity, it won't care. (The RFC passage you quote prevents attempts to *reply* to such packets from saturating the whole Internet.) David Gillett
-----Original Message----- From: Miles Stevenson [mailto:miles () mstevenson org] Sent: Thursday, October 21, 2004 7:59 PM To: security-basics () securityfocus com Cc: John Smithson Subject: Re: 0.0.0.0 Probes Hello John, According to RFC 1812, all routers "SHOULD NOT originate datagrams addressed to 0.0.0.0". This leads me to believe that these packets are coming from your local ISP's network. However, the RFC goes on to state : "There MAY be a configuration option to allow generation of these packets (instead of using the relevant 1s format broadcast). This option SHOULD default to not generating them." -which opens up a loophole for routers to do just that. This could also be a configuration problem with your ISP's router. Other than that, I can't really help you identify the purpose of these packets without more information. Would it be possible for you to provide me with a full packet capture of these (off-list of course)? I can then post a more in-depth analysis of that capture, scrubbing all appropriate information from the post (IP and MAC addresses, etc). Of course, anything you want me to keep confidential will be honored. You can take a capture of this traffic with the following command on your firewall (running as root): tcpdump -nS -i eth0 -w capture.dump host 0.0.0.0 & (where "eth0" is the ethernet device facing your ISP's network, and "capture.dump" is the file to save the data to). The process should detatch, and run in the background. Go ahead and let it run for a while to capture data. Periodically check your "capture.dump" file with the command: ls -alh Please don't let the file grow over 50k of data. Once you get close to this number, go ahead and kill the tcpdump process: killall tcpdump It also wouldn't hurt to submit this to the ISC Handlers at
www.incidents.org Of course you can and SHOULD use your router/firewall/filtering device to block such traffic. It it definitely not legitimate. This doesn't necessarily mean that it is malicious, but you should be blocking it regardless. Cheers. -- Miles Stevenson miles () mstevenson org PGP FP: 035F 7D40 44A9 28FA 7453 BDF4 329F 889D 767D 2F63
Current thread:
- 0.0.0.0 Probes John Smithson (Oct 21)
- Re: 0.0.0.0 Probes Miles Stevenson (Oct 22)
- RE: 0.0.0.0 Probes David Gillett (Oct 22)
- Re: 0.0.0.0 Probes Miles Stevenson (Oct 22)
- RE: 0.0.0.0 Probes Keith Bucknall (Oct 25)
- RE: 0.0.0.0 Probes xyberpix (Oct 26)
- RE: 0.0.0.0 Probes Fook Ming EE (Oct 26)
- RE: 0.0.0.0 Probes David Gillett (Oct 22)
- Re: 0.0.0.0 Probes Miles Stevenson (Oct 22)
- <Possible follow-ups>
- RE: 0.0.0.0 Probes Jorge Reyes (Oct 22)
- RE: 0.0.0.0 Probes Shawn Jackson (Oct 22)