Forum OpenACS Q&A: What is 0.0.0.0 ip ?

Collapse
1: What is 0.0.0.0 ip ?
Posted by Patrina Nasiron on 07/26/04 05:52 AM
Hi,

Im monitoring the IDS. It keeps detecting sources 0.0.0.0 which the highest number of attack in most signatures. What is 0.0.0.0 ip, how does it been generated, how to deal with it, does it harmful, what if I blocked it, whats gonna happen?

Does it generated from my own machine such as the firewall or router which doesn't have an ip, simply say it is generated because the IDS coudn't find any ip from the machine?

Or something else?

Please guide.

Thank you.

Collapse
2: Re: What is 0.0.0.0 ip ? (response to 1)
Posted by Orzenil Silva Junior on 07/26/04 06:56 AM
Maybe what you are seeing is a exploit technique used to determine operating system. To fingerprint a network, people use an IP source 0.0.0.0 and a IP destination of 0.0.0.0, set the ACK bit, and broadcast at the Ethernet layer.

Whether it be the casual script kiddie trying out new code or the hard core packeteer trying to remove your service you could not know without firewall forensic...

Just try limitate icmp-type ping and see what happen. If youre running a linux firewall iptables code for linux 2.4.*/2.6.* contains a few chains to play with dos attacks like LOG and MIRROR chains. You can effectively create rate limiters to drop excess packets and avoid DoS.

/sbin/iptables -A INPUT -m limit -p icmp --icmp-type ping --limit 3/second --limit-burst 10 -s 0.0.0.0/0 -d 0.0.0.0/0 -j ACCEPT

/sbin/iptables -A INPUT -p icmp --icmp-type ping -s 0.0.0.0/0 -d 0.0.0.0/0 -j DROP

This example script will let every ping under 3/second through, and drop the rest and I taken it from http://red0x.no-ip.com/papers/netsec.html.