RE: 0.0.0.0 Probes

["David Gillett" <gillettdavid () fhda edu>]

> According to RFC 1812, all routers "SHOULD NOT originate 
> datagrams addressed to 0.0.0.0". This leads me to believe 
> that these packets are coming from your 
> local ISP's network. 

  These packets are not *to* 0.0.0.0; they just claim to be
*from* there.  Unless a router is specifically configured to 
check the source address for validity, it won't care.  (The
RFC passage you quote prevents attempts to *reply* to such 
packets from saturating the whole Internet.)

David Gillett


> -----Original Message-----
> From: Miles Stevenson [mailto:miles () mstevenson org]
> Sent: Thursday, October 21, 2004 7:59 PM
> To: security-basics () securityfocus com
> Cc: John Smithson
> Subject: Re: 0.0.0.0 Probes
>
>
> Hello John,
>
> According to RFC 1812, all routers "SHOULD NOT originate 
> datagrams addressed 
> to 0.0.0.0". This leads me to believe that these packets are 
> coming from your 
> local ISP's network. However, the RFC goes on to state :
>
> "There MAY be a configuration option to allow generation of 
> these packets 
> (instead of using the relevant 1s format broadcast). This 
> option SHOULD 
> default to not generating them." 
>
> -which opens up a loophole for routers to do just that. This 
> could also be a 
> configuration problem with your ISP's router.
>
> Other than that, I can't really help you identify the purpose 
> of these packets 
> without more information. Would it be possible for you to 
> provide me with a 
> full packet capture of these (off-list of course)? I can then 
> post a more 
> in-depth analysis of that capture, scrubbing all appropriate 
> information from 
> the post (IP and MAC addresses, etc). Of course, anything you 
> want me to keep 
> confidential will be honored. 
>
> You can take a capture of this traffic with the following 
> command on your 
> firewall (running as root):
> tcpdump -nS -i eth0 -w capture.dump host 0.0.0.0 &
>
> (where "eth0" is the ethernet device facing your ISP's network, and 
> "capture.dump" is the file to save the data to).
>
> The process should detatch, and run in the background. Go 
> ahead and let it run 
> for a while to capture data. Periodically check your 
> "capture.dump" file with 
> the command:
>
> ls -alh 
>
> Please don't let the file grow over 50k of data. Once you get 
> close to this 
> number, go ahead and kill the tcpdump process:
>
> killall tcpdump
>
> It also wouldn't hurt to submit this to the ISC Handlers at 
www.incidents.org

Of course you can and SHOULD use your router/firewall/filtering device to 
block such traffic. It it definitely not legitimate. This doesn't necessarily 
mean that it is malicious, but you should be blocking it regardless.

Cheers.

-- 
Miles Stevenson
miles () mstevenson org
PGP FP: 035F 7D40 44A9 28FA 7453 BDF4 329F 889D 767D 2F63