cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
465
Views
0
Helpful
5
Replies

Strange traffic from the soup of the internet

Geminorum_cco
Level 1
Level 1

Hi everybody,

thanks for a great forum and ressource!

Our syslogs recently started showing a specific spoof getting dropped by one of our main firewalls, an ASA.

"Deny IP spoof from (0.0.4.0) to <removed public ip> on interface outside"

While no harm is done since the traffic is dropped, i still wonder... It has been going on for quite a while now and with a frequency of maybe 40 or 50 times a minute i figure its not going to stop any time soon.

What would you guys do about something like this?

Thanks.

Cheers

5 Replies 5

hi

I think ,if you have edge router faceing internet put  acl for that..

Thanks

Pranesh

Hi Pranesh,

thanks. Yeah i did, its just my curious nature i guess that makes me want to investigate further. Has anyone ever followed up on something like this by maybe contacting the provider? Would that do any good?

Cheers

hi,

make a WHOIS on the IP address and report to the ISP spam/abuse support email.

ISP will notify to the corresponding IP owner to scan and fix for any malicious activity.

there are free web tools to check on WHOIS database.

Hi johnlloyd_13,

yeah but the source address in this case is a special use address apparantly 0.0.4.0. Here is a snippet from the whois i pulled off of it:

"

Comment:        The address 0.0.0.0 may only be used as the address of an outgoing packet when a computer is learning which IP address it should use.  It is never used as a destination address.  Addresses starting with "0." are sometimes used for broadcasts to directly connected devices.

"

So unless my ISP has added a new (and seriously misconfigured) device somewhere, i wont be getting anywhere with that. And if this isnt from me ISP how does that kind of traffic even get across the internet?

Dont anybody past my rented black fiber filter traffic in anyway? Would an ISP allow a customer to initiate traffic not sourced from that customers own ip address / range?

Cheers

hi,

there's a comment which also says it could be in your LAN or perhaps someone VPN'd and spoofed.

Comment:        If you see addresses starting with a "0." in logs they are probably in use on your network, which might be as small as a computer connected to a home gateway.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: