Packet from 0.1.0.1?
Results 1 to 6 of 6

Thread: Packet from 0.1.0.1?

  1. #1
    Antionline Herpetologist
    Join Date
    Aug 2001
    Posts
    1,165

    Packet from 0.1.0.1?

    This is what my firewall log shows (Kerio Personal Firewall 4). Note the raddr (remote address) parameter. It says 0.1.0.1

    [04/Sep/2004 22:25:57] "Ids" action = permitted, raddr = 0.1.0.1, msg = '"BAD-TRAFFIC 0 ttl"', url = 'http://support.microsoft.com/default.aspx?scid=kb\;EN-US\;q138268', direc = in, class = 'misc-activity', priority = low
    Now, I would tend to think that this is a spoofed packet. I'd also be worried that it was permitted by my newly installed firewall. Looks like I need to start tightening my ruleset a little bit.
    Any opinions?

    Cheers,
    cgkanchi
    Buy the Snakes of India book, support research and education (sorry the website has been discontinued)
    My blog: http://biology000.blogspot.com

  2. #2
    Senior Member
    Join Date
    Oct 2002
    Posts
    4,055
    It indicates support.microsoft.com (and this could still be a spoofed packet) but could that indicate an update or patch or some sort of support service Microsoft provide's is trying to contact/connect to your PC? I doubt it, again I emphasize that it could still be someone sending spoofed packet's. I'd definitely tighten the ruleset a tad and have you experienced any other abnormalities with your firewall? Kerio, right? Hrmm.. anything else odd?
    Space For Rent.. =]

  3. #3
    Antionline Herpetologist
    Join Date
    Aug 2001
    Posts
    1,165
    That URL leads to an MS link that says that due to a bug in Win95 a packet with a TTL of 0 can be sent. However, that isn't the issue here. The issue is the source IP.

    Cheers,
    cgkanchi
    Buy the Snakes of India book, support research and education (sorry the website has been discontinued)
    My blog: http://biology000.blogspot.com

  4. #4
    Senior Member
    Join Date
    Oct 2002
    Posts
    4,055
    Hrmm, yeah nor is your OS Win95 I'm betting? Hrmm, this sound's suspicious and odd. I'm still pondering if your Kerio settings are correct, but in either case I'm going to re-download Kerio and do some experimenting of my own. That IS a pretty weird source IP.
    Space For Rent.. =]

  5. #5
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    To be honest I think it's a "trash" packet...

    It's not going to do much.. the src address isn't reachable.... So any response to the packet is useless to the "attacker".

    I'd forget it.... Simply for the fact that you have seen only one... If it was consistent I would have to think more deeply as to it's intent..... But it still wouldn't make a lot of sense unless someone was in the same collision zone and sniffing the packets...
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  6. #6
    Antionline Herpetologist
    Join Date
    Aug 2001
    Posts
    1,165
    Oh, well. I've reconfigured Kerio to block "low priority" intrusions. For some reason, it doesn't think that a scan for the UPnP vulnerability and some others should be blocked by default. Now these trash packets will go where they belong, into the unknown void that awaits blocked packets .
    Thanks to both TS and Spyder for their responses.

    Cheers,
    cgkanchi
    Buy the Snakes of India book, support research and education (sorry the website has been discontinued)
    My blog: http://biology000.blogspot.com

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •