It means that whatever machine generated the traffic, it was
trying to hide its identity.
Note that you cannot possibly send return packets to this address.
So I wouldn't call this a "probe", unless it was written by someone
who is still just learning how TCP/IP works.
Earlier this week, I tracked down a worm on our network that was
generating packets with a source address of 0.0.0.0, and sending
them all to a specific address. This is not a "probe", it's a
"SYN flood" attack. The attacker doesn't care that the destination
can't reply, because he has no intention of ever completing the
TCP three-way handshake.
If you're seeing traffic sourced from 0.0.0.0, the only
"misconfiguration" is that nobody between you and the source is
doing anti-spoofing or egress filtering. Dropping it at your
firewalls is the only sane thing to do.
David Gillett
-----Original Message-----
From: John Smithson [mailto:why1234@hotmail.com]
Sent: Thursday, October 21, 2004 1:47 PM
To: security-basics@securityfocus.com
Subject: 0.0.0.0 Probes
Gurus,
Over the last few days my external NIDS (outside firewall)
has picked up
huge amount of HTTP Probe (over 50,000/day) with source IP
address 0.0.0.0.
The destinations are every IP address on my public-DMZ.
These are just HTTP
Probes. This traffic is being dropped by my firewalls.
Internal IDS does
not show any of this event. Initially, I thought it was just
normal scan,
but since it is occurring everyday with that high frequency,
I got more
curious.
However, I'm trying to understand what / how does the 0.0.0.0
Source mean.
Could some of you kindly shed light on this fellow? I have
googled it and
done normal research.. but still not 100% clear. Is it
something that we
have mis-configuration? Is it broadcast traffic? Can I user
my router to
block this? .. all normal questions to defend my assets..
Thank you,
John
_________________________________________________________________
Check out Election 2004 for up-to-date election news, plus
voter tools and
more! http://special.msn.com/msn/election2004.armx
