September 4th, 2004, 06:51 PM
Packet from 0.1.0.1?
This is what my firewall log shows (Kerio Personal Firewall 4). Note the raddr (remote address) parameter. It says 0.1.0.1
Now, I would tend to think that this is a spoofed packet. I'd also be worried that it was permitted by my newly installed firewall. Looks like I need to start tightening my ruleset a little bit.
[04/Sep/2004 22:25:57] "Ids" action = permitted, raddr = 0.1.0.1, msg = '"BAD-TRAFFIC 0 ttl"', url = 'http://support.microsoft.com/default.aspx?scid=kb\;EN-US\;q138268', direc = in, class = 'misc-activity', priority = low
September 4th, 2004, 07:40 PM
It indicates support.microsoft.com (and this could still be a spoofed packet) but could that indicate an update or patch or some sort of support service Microsoft provide's is trying to contact/connect to your PC? I doubt it, again I emphasize that it could still be someone sending spoofed packet's. I'd definitely tighten the ruleset a tad and have you experienced any other abnormalities with your firewall? Kerio, right? Hrmm.. anything else odd?
September 4th, 2004, 08:04 PM
That URL leads to an MS link that says that due to a bug in Win95 a packet with a TTL of 0 can be sent. However, that isn't the issue here. The issue is the source IP.
September 4th, 2004, 09:56 PM
Hrmm, yeah nor is your OS Win95 I'm betting? Hrmm, this sound's suspicious and odd. I'm still pondering if your Kerio settings are correct, but in either case I'm going to re-download Kerio and do some experimenting of my own. That IS a pretty weird source IP.
September 4th, 2004, 10:52 PM
To be honest I think it's a "trash" packet...
It's not going to do much.. the src address isn't reachable.... So any response to the packet is useless to the "attacker".
I'd forget it.... Simply for the fact that you have seen only one... If it was consistent I would have to think more deeply as to it's intent..... But it still wouldn't make a lot of sense unless someone was in the same collision zone and sniffing the packets...
Don\'t SYN us.... We\'ll SYN you.....
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides
September 5th, 2004, 05:40 AM
Oh, well. I've reconfigured Kerio to block "low priority" intrusions. For some reason, it doesn't think that a scan for the UPnP vulnerability and some others should be blocked by default. Now these trash packets will go where they belong, into the unknown void that awaits blocked packets .
Thanks to both TS and Spyder for their responses.