[Snort-users] IP addresses beginning with zero?
Sheahan, Paul (PCLN-NW)
Paul.Sheahan at ...2218...
Wed Mar 13 13:43:04 EST 2002
In my Snort (1.9dev) server logs I occasionally see UDP packets from several
internal NT servers destined for IP addresses where the first octet is zero
such as 0.0.0.10 and 0.0.0.172. Source and destination ports are always 137
and the packet contents appear to be normal Netbios over IP stuff. It
happens only maybe 3 to 6 times per day and I have been trying to research
why this is happening so as to rule out any security issues such as a trojan
horse or some other illicit code communicating on the network. THe
interesting thing is if I look at the MAC addresses the packets are destined
for when sent to these IP addresses beginning with zero, the MAC address is
always points to our internal firewall interface.
NTserver1:137 -> 0.0.0.172:137
NTserver2:137 -> 220.127.116.11:137
NTserver3:137 -> 0.0.0.10:137
Some traces with MAC address info:
[**] [1:0:0] UDP to 0.0.0.172 [**]
03/11-20:37:22.297425 0:8:C7:E6:26:D8 -> 0:D0:B7:3D:9B:AE type:0x800
NTServer1:137 -> 0.0.0.172:137 UDP TTL:128 TOS:0x0 ID:21003 IpLen:20
[**] [1:0:0] UDP to 0.0.0.10 [**]
03/11-20:37:48.225007 0:8:C7:E6:26:D8 -> 0:D0:B7:3D:9B:AE type:0x800
NTServer1:137 -> 0.0.0.10:137 UDP TTL:128 TOS:0x0 ID:34063 IpLen:20
[**] [1:0:0] UDP to 18.104.22.168 [**]
03/11-21:22:07.738358 0:8:C7:E6:26:D8 -> 0:D0:B7:3D:9B:AE type:0x800
NTServer1:137 -> 22.214.171.124:137 UDP TTL:128 TOS:0x0 ID:28172 IpLen:20
I came across only one site on the Internet that mentioned the following:
"0 <IP addresses beginning with 0>: These are reserved for computers that do
not know their address. For example, 0.0.0.10 would be a computer that only
knew it was host 10 on an unknown network."
I can find no other information on IP addresses where the first octet is
zero. I was curious if anyone else has come across packets on their network
destined for IP addresses beginning with 0, and if you might have any other
information on this.
Manager of Information Security
paul.sheahan at ...2218...
More information about the Snort-users