RE: Ip spoof from 0.0.0.0

From: Omar Herrera (oherreraat_private)
Date: Wed Nov 06 2002 - 16:29:34 PST

Next message: Rainer Duffner: "Re: anoat_private ftpd dip.t-dialin.net"

Previous message: James C Slora Jr: "RE: Script I haven't seen? Or human directed?"
In reply to: Pavel Kankovsky: "Re: Ip spoof from 0.0.0.0"
Next in thread: Russell Fulton: "RE: Ip spoof from 0.0.0.0"
Next in thread: Omar Herrera: "RE: Ip spoof from 0.0.0.0"
Reply: Russell Fulton: "RE: Ip spoof from 0.0.0.0"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

It seems that something similar has been discussed before:
http://archives.neohapsis.com/archives/iss/2000-q1/0461.html

However, here they talk about a problem with RealSecure, not a
Firewall like PIX.

Many others have reported TCP SYN activity to port 445, however, the
PIX logs on the original post only tell this is an IP packet, there
is no information whether these are TCP, UDP or just plain IP packets
(I have not worked a lot with pixes though, so if this is my
misunderstanding please apologize).

There are circumstances where packets are sent from a source IP
address like 0.0.0.0 if I remember correctly; on DHCP renew request
for example (here is a link to an example packet of a SonicWall:
http://www.mynetwatchman.com/kb/netkb/sonicwalldhcp/dhcpreq.htm

Here DHCP is on top of UDP, but if these are accepted, I don't see
why manually crafted IP packets could contain a 0.0.0.0 address
whether you put TCP or UDP on top.

0.0.0.0 seems to be an historical broadcast address; I've also seen
it defined as the "broadcast base address".

This CIAC document, "DDoS mediation action list" includes this
address in its "private and reserved address list to be filtered"
(look under the INGRESS FILTERING part of the document):
http://www.ciac.org/ciac/bulletins/k-032.shtml

So it seems that 0.0.0.0 will be allowed by some routing devices,
still you should filter all traffic from them.

I hope this helps,

Omar Herrera

- -----Original Message-----
From: Pavel Kankovsky [mailto:peakat_private] 
Sent: Martes, 05 de Noviembre de 2002 06:35 p.m.
To: incidentsat_private
Subject: Re: Ip spoof from 0.0.0.0

On Mon, 4 Nov 2002, Ingersoll, Jared wrote:

> Nov  1 01:42:44 2U:10.1.1.1 Nov 01 2002 01:50:32: %PIX-2-106016:
> Deny IP spoof from (0.0.0.0) to x.x.x.5

We're seeing them too, since Nov 1 03:30 GMT, approx. 150 per a day.
TCP SYNs to port 445 on different IPs. An interesting detail is that
all
of them have IP ID == 256. TTL appears to vary between 108 and 113.

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0.4

iQA/AwUBPcmz7qxc3R1o/elHEQIZXACgsi13r9H3eyVf+MPPaR5axetWkyIAoOtH
MAF/HXdWxh/ofh8LjnxnlwhG
=LX0P
-----END PGP SIGNATURE-----

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Rainer Duffner: "Re: anoat_private ftpd dip.t-dialin.net"
Previous message: James C Slora Jr: "RE: Script I haven't seen? Or human directed?"
In reply to: Pavel Kankovsky: "Re: Ip spoof from 0.0.0.0"
Next in thread: Russell Fulton: "RE: Ip spoof from 0.0.0.0"
Next in thread: Omar Herrera: "RE: Ip spoof from 0.0.0.0"
Reply: Russell Fulton: "RE: Ip spoof from 0.0.0.0"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Nov 07 2002 - 11:50:57 PST