RE: 0.0.0.0 Probes

["Keith Bucknall" <keith.bucknall () zen co uk>]

Dear All,

I am trying to troubleshoot a problem we have, on a particular site they use
a PPTP VPN connection to our office, at present we just use Windows XP DUN
for this - I will be changing this soon to a IPSEC tunnel but just need to
get this working.

When use A dials the VPN server they connect without a problem and the VPN
registers as established.  But then the next day when User B tries on our
VPN server it displays his source address as 0.0.0.0 and then refuses the
connection, User A tries and I get his original source IP.  This only
displays a source IP as 0.0.0.0 for User B...

Would this mean that his PC could be infected with a worm that is trying to
hide the course IP.

Kind Regards

Keith

 


-----Original Message-----
From: Miles Stevenson [mailto:miles () mstevenson org] 
Sent: 22 October 2004 19:02
To: security-basics () securityfocus com; gillettdavid () fhda edu
Cc: 'John Smithson'
Subject: Re: 0.0.0.0 Probes

David,

<snip>
>   These packets are not *to* 0.0.0.0; they just claim to be
> *from* there.  Unless a router is specifically configured to
> check the source address for validity, it won't care.  (The
> RFC passage you quote prevents attempts to *reply* to such
> packets from saturating the whole Internet.)
</snip>

Agreed. Thank you for the correction. 

> "..SHOULD NOT originate datagrams addressed to 0.0.0.0".

Use of the words "originate" and "to" in the same phrase to represent
traffic 
flow seems, at first glance, to be in conflict with each other, and is
likely 
the source of my misinterpretation.

Another example of the importance of semantics when then intention is to 
communicate accurately. 

-- 
Miles Stevenson
miles () mstevenson org
PGP FP: 035F 7D40 44A9 28FA 7453 BDF4 329F 889D 767D 2F63

Attachment: smime.p7s
Description: