On Mon, 23 Dec 2019, 10:12 Joe Monk, <[email protected]> wrote: > "0.0.0.0 is non-routable and a typical use in traffic would be in DHCP, in > which an adaptor doesn't have an address assigned yet and the device sends > out a DHCP request from 0.0.0.0 asking to be assigned a proper address." > > PCs dont send DHCP to 0.0.0.0. They send DHCP to 255.255.255.255 ... > broadcast IP. If the DHCP server is off network (as defined by the subnet > mask), then a helper address will be configured to get DHCP to the right > server. > > If it is a windows machine, the DHCP request packet will include the last > assigned IP address, as a way of requesting to keep the existing, which > will be ACKd or NAKd depending. >
Yes. My point is that 0.0.0.0 is also a valid /from/ address in DHCP, perhaps if DHCP has not previously been used. It all boils down to needing more information. Any "vulnerability team" that spots traffic they don't understand already has more information. They need to share it :-) Rupert ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
