Security Incidents mailing list archives
RE: Ip spoof from 0.0.0.0
From: Omar Herrera <oherrera () prodigy net mx>
Date: Wed, 06 Nov 2002 18:29:34 -0600
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 It seems that something similar has been discussed before: http://archives.neohapsis.com/archives/iss/2000-q1/0461.html However, here they talk about a problem with RealSecure, not a Firewall like PIX. Many others have reported TCP SYN activity to port 445, however, the PIX logs on the original post only tell this is an IP packet, there is no information whether these are TCP, UDP or just plain IP packets (I have not worked a lot with pixes though, so if this is my misunderstanding please apologize). There are circumstances where packets are sent from a source IP address like 0.0.0.0 if I remember correctly; on DHCP renew request for example (here is a link to an example packet of a SonicWall: http://www.mynetwatchman.com/kb/netkb/sonicwalldhcp/dhcpreq.htm Here DHCP is on top of UDP, but if these are accepted, I don't see why manually crafted IP packets could contain a 0.0.0.0 address whether you put TCP or UDP on top. 0.0.0.0 seems to be an historical broadcast address; I've also seen it defined as the "broadcast base address". This CIAC document, "DDoS mediation action list" includes this address in its "private and reserved address list to be filtered" (look under the INGRESS FILTERING part of the document): http://www.ciac.org/ciac/bulletins/k-032.shtml So it seems that 0.0.0.0 will be allowed by some routing devices, still you should filter all traffic from them. I hope this helps, Omar Herrera - -----Original Message----- From: Pavel Kankovsky [mailto:peak () argo troja mff cuni cz] Sent: Martes, 05 de Noviembre de 2002 06:35 p.m. To: incidents () securityfocus com Subject: Re: Ip spoof from 0.0.0.0 On Mon, 4 Nov 2002, Ingersoll, Jared wrote:
Nov 1 01:42:44 2U:10.1.1.1 Nov 01 2002 01:50:32: %PIX-2-106016: Deny IP spoof from (0.0.0.0) to x.x.x.5
We're seeing them too, since Nov 1 03:30 GMT, approx. 150 per a day. TCP SYNs to port 445 on different IPs. An interesting detail is that all of them have IP ID == 256. TTL appears to vary between 108 and 113. -----BEGIN PGP SIGNATURE----- Version: PGP 7.0.4 iQA/AwUBPcmz7qxc3R1o/elHEQIZXACgsi13r9H3eyVf+MPPaR5axetWkyIAoOtH MAF/HXdWxh/ofh8LjnxnlwhG =LX0P -----END PGP SIGNATURE----- ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Ip spoof from 0.0.0.0 Ingersoll, Jared (Nov 04)
- Re: Ip spoof from 0.0.0.0 Olaf Schreck (Nov 04)
- Message not available
- Re: Ip spoof from 0.0.0.0 Mike Lewinski (Nov 05)
- Re: Ip spoof from 0.0.0.0 Crist J. Clark (Nov 06)
- Message not available
- Re: Ip spoof from 0.0.0.0 Olaf Schreck (Nov 04)
- Re: Ip spoof from 0.0.0.0 Pavel Kankovsky (Nov 06)
- RE: Ip spoof from 0.0.0.0 Omar Herrera (Nov 07)
- RE: Ip spoof from 0.0.0.0 Russell Fulton (Nov 07)
- RE: Ip spoof from 0.0.0.0 Omar Herrera (Nov 07)
- RE: Ip spoof from 0.0.0.0 Omar Herrera (Nov 07)
- Re: Ip spoof from 0.0.0.0 Mike Maxwell (Nov 09)
- <Possible follow-ups>
- Re: Ip spoof from 0.0.0.0 Frank Cheong (Nov 06)
- Re: Ip spoof from 0.0.0.0 Mike Lewinski (Nov 06)
- Re: Ip spoof from 0.0.0.0 Paul Gillingwater (Nov 06)
- Re: Ip spoof from 0.0.0.0 Nexus (Nov 07)
- Re: Ip spoof from 0.0.0.0 batz (Nov 07)
- Re: Ip spoof from 0.0.0.0 Jason Robertson (Nov 08)