Re: Ip spoof from 0.0.0.0

["Crist J. Clark" <crist.clark () attbi com>]

On Tue, Nov 05, 2002 at 12:15:05AM -0700, Mike Lewinski wrote:
> A few more data points:
>
> This scan has targeted every /24 in a /20 here. While the third and 
> fourth octets appear random, there are a couple interesting things:
>
> 1) 1460 unique IPs have been targeted out of 2321 total deny entries. 
> There is some duplication of effort.
>
> 2) Thus far none of the dst IPs have been above the /25 boundary in each 
> /24. If the fourth octet scan is actually limited to 0-127, then ~70% of 
> the possible targets here have been chosen at least once.
>
> A time distribution sample across the 4th octet looks like this:
>
> Nov  1 07:56:54 MST x.y.92.0
> Nov  1 12:44:08 MST x.y.83.0
> Nov  1 15:59:31 MST x.y.84.0
> Nov  1 17:10:40 MST x.y.80.0
> Nov  1 23:02:18 MST x.y.91.0
> Nov  1 23:03:11 MST x.y.81.0
> Nov  2 16:24:15 MST x.y.91.0
> Nov  2 18:10:17 MST x.y.95.0
> Nov  2 22:24:18 MST x.y.86.0
> Nov  3 12:09:46 MST x.y.85.0
> Nov  4 07:26:20 MST x.y.84.0
> Nov  4 19:10:54 MST x.y.94.0
> Nov  4 20:38:13 MST x.y.85.0
> Nov  4 21:15:37 MST x.y.84.0
>
>
> Across the 3rd octet it looks like this:
>
> Nov  4 00:27:30 MST x.y.84.119
> Nov  4 00:41:48 MST x.y.84.61
> Nov  4 00:57:01 MST x.y.84.18
> Nov  4 02:03:55 MST x.y.84.88
> Nov  4 02:26:48 MST x.y.84.41
> Nov  4 02:46:15 MST x.y.84.98
> Nov  4 05:06:20 MST x.y.84.2
> Nov  4 05:24:50 MST x.y.84.51
> Nov  4 06:09:48 MST x.y.84.7
> Nov  4 06:30:17 MST x.y.84.50
> Nov  4 07:20:39 MST x.y.84.110
> Nov  4 07:25:42 MST x.y.84.69
> Nov  4 07:26:20 MST x.y.84.0
> Nov  4 08:13:32 MST x.y.84.55
> Nov  4 08:25:58 MST x.y.84.46
> Nov  4 10:54:05 MST x.y.84.4
> Nov  4 11:32:05 MST x.y.84.87
> Nov  4 12:28:25 MST x.y.84.117
> Nov  4 12:38:27 MST x.y.84.91
>
> Also, our logs show only a single packet denied in every instance.
>
> Perhaps the payload is intended to DoS the victim per this:
>
> http://online.securityfocus.com/archive/1/256830

Huh? We still talking about TCP SYN packets from 0.0.0.0 source
address to 445/tcp? If the source address is 0.0.0.0, i.e. an address
that a response (if the receiver is even broken enough to send a
responce in the first place) can never get to, how can an "attacker"
ever hope to deliver a payload? You can't finish the TCP handshake.

If this is a scanner or DoS attempt of some kind, the tool doing it is
broken (*shock* broken k1dd13 t00lz?). There is no way it can do
either.

These remind me of those,

  255.255.255.255:31337 -> a.b.c.d:515

SYN packets you still see from time to time. More amusing than
anything else. If anyone really knows what generates any of these, I'd
love to know, but I'm not losing any sleep over it.
-- 
Crist J. Clark                     |     cjclark () alum mit edu
                                   |     cjclark () jhu edu
http://people.freebsd.org/~cjc/    |     cjc () freebsd org

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com