The IP address "0.0.0.0" means that "we are unsure of the exact source"; it doesn't mean that the address 0.0.0.0 was actually seen on the wire.
The biggest source of this is from the "coalescer" on the sensor. The basic purpose of the coalescer is to combine identical events in to a single event with a "repeat-count". However, if somebody spoofs their IP address and floods the sensor, then such logic wouldn't successfully coalesce events, which would then fill up your database. Therefore, the coalescer has logic that triggers when the same event comes in from more than 16 sources -- then changes the source to 0.0.0.0. In practice, this has made a major difference in survivability of the sensor vs. worms and DDoS attacks, though it didn't work as well for Slammer as we hoped (something we are fixing in the next major XPU). -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of CHO Sent: Monday, March 31, 2003 8:42 AM To: [EMAIL PROTECTED] Subject: [ISSForum] source 0.0.0.0 I am getting a lot of events comming from IP-Adress 0.0.0.0 Various events.... What can that be ? Is somebody in here, try to crack the hell out of our net??? or is it just normal?? How can it appear in normal traffic? CHO-Chief Hacking Officer Wir ertrinken in Information, aber hungern nach WISSEN! Gesendet von http://mail.yahoo.de. Das DiBa-Tagesgeldkonto: 3,5% Zinsen ab dem ersten Euro + Tankgutschein nur noch bis 31.03. Lassen Sie Ihr Geld arbeiten! Bei t�glicher Verf�gbarkeit und kostenloser Kontof�hrung. _______________________________________________ ISSForum mailing list [EMAIL PROTECTED] TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo
