Hello John,
According to RFC 1812, all routers "SHOULD NOT originate datagrams addressed
to 0.0.0.0". This leads me to believe that these packets are coming from your
local ISP's network. However, the RFC goes on to state :
"There MAY be a configuration option to allow generation of these packets
(instead of using the relevant 1s format broadcast). This option SHOULD
default to not generating them."
-which opens up a loophole for routers to do just that. This could also be a
configuration problem with your ISP's router.
Other than that, I can't really help you identify the purpose of these packets
without more information. Would it be possible for you to provide me with a
full packet capture of these (off-list of course)? I can then post a more
in-depth analysis of that capture, scrubbing all appropriate information from
the post (IP and MAC addresses, etc). Of course, anything you want me to keep
confidential will be honored.
You can take a capture of this traffic with the following command on your
firewall (running as root):
tcpdump -nS -i eth0 -w capture.dump host 0.0.0.0 &
(where "eth0" is the ethernet device facing your ISP's network, and
"capture.dump" is the file to save the data to).
The process should detatch, and run in the background. Go ahead and let it run
for a while to capture data. Periodically check your "capture.dump" file with
the command:
ls -alh
Please don't let the file grow over 50k of data. Once you get close to this
number, go ahead and kill the tcpdump process:
killall tcpdump
It also wouldn't hurt to submit this to the ISC Handlers at www.incidents.org
Of course you can and SHOULD use your router/firewall/filtering device to
block such traffic. It it definitely not legitimate. This doesn't necessarily
mean that it is malicious, but you should be blocking it regardless.
Cheers.
--
Miles Stevenson
miles@mstevenson.org
PGP FP: 035F 7D40 44A9 28FA 7453 BDF4 329F 889D 767D 2F63
pgpK4a8pxn2Xr.pgp
Description: PGP signature
