Re: 0.0.0.0 Probes

[Ghaith Nasrawi <libero () aucegypt edu>]

yeah, I've found that with (cisco pix 515e - CheckPoint) few weeks ago, i thought the
problem was misconfiguration at that time, and even though the IPs were
shown as 0.0.0.0, connectivity was achieved.


> On Sun, 2004-10-24 at 11:58, xyberpix wrote:
> > I know that Sygate personal firewall can hide the IP addy of the machine
> > it's installed on, and when it does it shows up as 0.0.0.0 in some logs,
> > this may be the case here. Anyone else seen this before?
> >
> > xyberpix
> >
> > On Thu, 2004-10-21 at 21:47, John Smithson wrote:
> > > Gurus,
> > >
> > > Over the last few days my external NIDS (outside firewall) has picked up 
> > > huge amount of HTTP Probe (over 50,000/day) with source IP address 0.0.0.0.  
> > > The destinations are every IP address on my public-DMZ.  These are just HTTP 
> > > Probes.  This traffic is being dropped by my firewalls. Internal IDS does 
> > > not show any of this event.  Initially, I thought it was just normal scan, 
> > > but since it is occurring everyday with that high frequency, I got more 
> > > curious.
> > >
> > > However, I'm trying to understand what / how does the 0.0.0.0 Source mean.  
> > > Could some of you kindly shed light on this fellow?  I have googled it and 
> > > done normal research.. but still not 100% clear.  Is it something that we 
> > > have mis-configuration? Is it broadcast traffic? Can I user my router to 
> > > block this?  .. all normal questions to defend my assets..
> > >
> > > Thank you,
> > >
> > > John
> > >
> > > _________________________________________________________________
> > > Check out Election 2004 for up-to-date election news, plus voter tools and 
> > > more! http://special.msn.com/msn/election2004.armx