Packet from 0.1.0.1?

Printable View

September 4th, 2004, 06:51 PM
cgkanchi

Packet from 0.1.0.1?

This is what my firewall log shows (Kerio Personal Firewall 4). Note the raddr (remote address) parameter. It says 0.1.0.1

Quote:

[04/Sep/2004 22:25:57] "Ids" action = permitted, raddr = 0.1.0.1, msg = '"BAD-TRAFFIC 0 ttl"', url = 'http://support.microsoft.com/default.aspx?scid=kb\;EN-US\;q138268', direc = in, class = 'misc-activity', priority = low

Now, I would tend to think that this is a spoofed packet. I'd also be worried that it was permitted by my newly installed firewall. Looks like I need to start tightening my ruleset a little bit.
Any opinions?

Cheers,
cgkanchi
September 4th, 2004, 07:40 PM
Spyder32

It indicates support.microsoft.com (and this could still be a spoofed packet) but could that indicate an update or patch or some sort of support service Microsoft provide's is trying to contact/connect to your PC? I doubt it, again I emphasize that it could still be someone sending spoofed packet's. I'd definitely tighten the ruleset a tad and have you experienced any other abnormalities with your firewall? Kerio, right? Hrmm.. anything else odd?
September 4th, 2004, 08:04 PM
cgkanchi

That URL leads to an MS link that says that due to a bug in Win95 a packet with a TTL of 0 can be sent. However, that isn't the issue here. The issue is the source IP.

Cheers,
cgkanchi
September 4th, 2004, 09:56 PM
Spyder32

Hrmm, yeah nor is your OS Win95 I'm betting? Hrmm, this sound's suspicious and odd. I'm still pondering if your Kerio settings are correct, but in either case I'm going to re-download Kerio and do some experimenting of my own. That IS a pretty weird source IP.
September 4th, 2004, 10:52 PM
Tiger Shark

To be honest I think it's a "trash" packet...

It's not going to do much.. the src address isn't reachable.... So any response to the packet is useless to the "attacker".

I'd forget it.... Simply for the fact that you have seen only one... If it was consistent I would have to think more deeply as to it's intent..... But it still wouldn't make a lot of sense unless someone was in the same collision zone and sniffing the packets...
September 5th, 2004, 05:40 AM
cgkanchi

Oh, well. I've reconfigured Kerio to block "low priority" intrusions. For some reason, it doesn't think that a scan for the UPnP vulnerability and some others should be blocked by default. Now these trash packets will go where they belong, into the unknown void that awaits blocked packets :D.
Thanks to both TS and Spyder for their responses.

Cheers,
cgkanchi