Hi John,
Some probing tools can fake the source IP so that you won't know where the
attacks are from or someone else IPs were being use. Generally, 0.0.0.0
means the "World". Remember usually your default router is 0.0.0.0 follow by
gateway to the Internet.
It is not a broadcast traffic but targeted attacks.
I think you mentioned that your firewall is already dropping these packets.
Or you can configure drop these packets with source 0.0.0.0
I hope this helps!
Cheers,
EFM
-----Original Message-----
From: John Smithson [mailto:why1234@hotmail.com]
Sent: Friday, October 22, 2004 4:47 AM
To: security-basics@securityfocus.com
Subject: 0.0.0.0 Probes
Gurus,
Over the last few days my external NIDS (outside firewall) has picked up
huge amount of HTTP Probe (over 50,000/day) with source IP address 0.0.0.0.
The destinations are every IP address on my public-DMZ. These are just HTTP
Probes. This traffic is being dropped by my firewalls. Internal IDS does
not show any of this event. Initially, I thought it was just normal scan,
but since it is occurring everyday with that high frequency, I got more
curious.
However, I'm trying to understand what / how does the 0.0.0.0 Source mean.
Could some of you kindly shed light on this fellow? I have googled it and
done normal research.. but still not 100% clear. Is it something that we
have mis-configuration? Is it broadcast traffic? Can I user my router to
block this? .. all normal questions to defend my assets..
Thank you,
John
_________________________________________________________________
Check out Election 2004 for up-to-date election news, plus voter tools and
more! http://special.msn.com/msn/election2004.armx
