Re: IP 0.0.0.0
On Mon, 23 Dec 2019 15:08:02 -0700, Grant Taylor wrote: >Where is it cross posted from / to? (I'd like to look at the other >location.) IBMTCP-L is where the meat of the discussion is taking place. Alan Altmark IBM -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: IP 0.0.0.0
On 12/23/19 12:53 AM, Jake Anderson wrote: Hello Hi, Cross posted Where is it cross posted from / to? (I'd like to look at the other location.) Out network vulnerability team has reported that there is a traffic between 0.0.0.0 and LPAR IP. Is there any chance that the vulnerability team is using 0.0.0.0 as a stand in for that is not a defined communications end point? As in it doesn't match known hosts, thus it matches 0.0.0.0/0? -- Grant. . . . unix || die -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: IP 0.0.0.0
On Mon, 23 Dec 2019, 10:12 Joe Monk, wrote: > "0.0.0.0 is non-routable and a typical use in traffic would be in DHCP, in > which an adaptor doesn't have an address assigned yet and the device sends > out a DHCP request from 0.0.0.0 asking to be assigned a proper address." > > PCs dont send DHCP to 0.0.0.0. They send DHCP to 255.255.255.255 ... > broadcast IP. If the DHCP server is off network (as defined by the subnet > mask), then a helper address will be configured to get DHCP to the right > server. > > If it is a windows machine, the DHCP request packet will include the last > assigned IP address, as a way of requesting to keep the existing, which > will be ACKd or NAKd depending. > Yes. My point is that 0.0.0.0 is also a valid /from/ address in DHCP, perhaps if DHCP has not previously been used. It all boils down to needing more information. Any "vulnerability team" that spots traffic they don't understand already has more information. They need to share it :-) Rupert -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: IP 0.0.0.0
"0.0.0.0 is non-routable and a typical use in traffic would be in DHCP, in which an adaptor doesn't have an address assigned yet and the device sends out a DHCP request from 0.0.0.0 asking to be assigned a proper address." PCs dont send DHCP to 0.0.0.0. They send DHCP to 255.255.255.255 ... broadcast IP. If the DHCP server is off network (as defined by the subnet mask), then a helper address will be configured to get DHCP to the right server. If it is a windows machine, the DHCP request packet will include the last assigned IP address, as a way of requesting to keep the existing, which will be ACKd or NAKd depending. Joe On Mon, Dec 23, 2019 at 2:28 AM Rupert Reynolds wrote: > 0.0.0.0 is a special "no address" or "any address", depending on context. > > If a listening server socket binds to 0.0.0.0 then it listens on any > interfaces present, which might be two adaptors with addresses > 192.168.something and 10.something, for example. > > 0.0.0.0 is non-routable and a typical use in traffic would be in DHCP, in > which an adaptor doesn't have an address assigned yet and the device sends > out a DHCP request from 0.0.0.0 asking to be assigned a proper address. > > I'd ask for clarification, myself :-) > > On Mon, 23 Dec 2019, 07:53 Jake Anderson, > wrote: > > > Hello > > > > Cross posted > > > > Out network vulnerability team has reported that there is a traffic > between > > 0.0.0.0 and LPAR IP. > > > > Does it mean 0.0.0.0 listen to all address and make server open to > internet > > ? > > > > I believe 0.0.0.0 belongs to BPXOINIT(OMVS) > > > > Regards > > Jake > > > > -- > > For IBM-MAIN subscribe / signoff / archive access instructions, > > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > > > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: IP 0.0.0.0
The address 0.0.0.0 is nothing in and of itself to worry about. What you need to worry about are the port numbers to which it is trying to communicate. Joe On Mon, Dec 23, 2019 at 1:54 AM Jake Anderson wrote: > Hello > > Cross posted > > Out network vulnerability team has reported that there is a traffic between > 0.0.0.0 and LPAR IP. > > Does it mean 0.0.0.0 listen to all address and make server open to internet > ? > > I believe 0.0.0.0 belongs to BPXOINIT(OMVS) > > Regards > Jake > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: IP 0.0.0.0
I don't know any of the mainframe conventions and others here will, but my first question would be for clarification of what they mean by 'traffic'. Is it protocol UDP or TCP or some other, if it's TCP is it simply SYN packets (at the start of a TCP connection) without response, or is there a whole sequence for a TCP connection and stream of data? What ports are the source and destination? 'Traffic' without a port or even a protocol name (or number) is about as vague as they can be :-) Rupert On Mon, 23 Dec 2019, 08:32 Jake Anderson, wrote: > Hi Rupert > > I understand but any clue why it has traffic with Mainframe IP when it is > not even listening on any application > > On Mon, 23 Dec, 2019, 12:28 PM Rupert Reynolds, > wrote: > > > 0.0.0.0 is a special "no address" or "any address", depending on context. > > > > If a listening server socket binds to 0.0.0.0 then it listens on any > > interfaces present, which might be two adaptors with addresses > > 192.168.something and 10.something, for example. > > > > 0.0.0.0 is non-routable and a typical use in traffic would be in DHCP, in > > which an adaptor doesn't have an address assigned yet and the device > sends > > out a DHCP request from 0.0.0.0 asking to be assigned a proper address. > > > > I'd ask for clarification, myself :-) > > > > On Mon, 23 Dec 2019, 07:53 Jake Anderson, > > wrote: > > > > > Hello > > > > > > Cross posted > > > > > > Out network vulnerability team has reported that there is a traffic > > between > > > 0.0.0.0 and LPAR IP. > > > > > > Does it mean 0.0.0.0 listen to all address and make server open to > > internet > > > ? > > > > > > I believe 0.0.0.0 belongs to BPXOINIT(OMVS) > > > > > > Regards > > > Jake > > > > > > -- > > > For IBM-MAIN subscribe / signoff / archive access instructions, > > > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > > > > > > > -- > > For IBM-MAIN subscribe / signoff / archive access instructions, > > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > > > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: IP 0.0.0.0
Hi Rupert I understand but any clue why it has traffic with Mainframe IP when it is not even listening on any application On Mon, 23 Dec, 2019, 12:28 PM Rupert Reynolds, wrote: > 0.0.0.0 is a special "no address" or "any address", depending on context. > > If a listening server socket binds to 0.0.0.0 then it listens on any > interfaces present, which might be two adaptors with addresses > 192.168.something and 10.something, for example. > > 0.0.0.0 is non-routable and a typical use in traffic would be in DHCP, in > which an adaptor doesn't have an address assigned yet and the device sends > out a DHCP request from 0.0.0.0 asking to be assigned a proper address. > > I'd ask for clarification, myself :-) > > On Mon, 23 Dec 2019, 07:53 Jake Anderson, > wrote: > > > Hello > > > > Cross posted > > > > Out network vulnerability team has reported that there is a traffic > between > > 0.0.0.0 and LPAR IP. > > > > Does it mean 0.0.0.0 listen to all address and make server open to > internet > > ? > > > > I believe 0.0.0.0 belongs to BPXOINIT(OMVS) > > > > Regards > > Jake > > > > -- > > For IBM-MAIN subscribe / signoff / archive access instructions, > > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > > > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: IP 0.0.0.0
0.0.0.0 is a special "no address" or "any address", depending on context. If a listening server socket binds to 0.0.0.0 then it listens on any interfaces present, which might be two adaptors with addresses 192.168.something and 10.something, for example. 0.0.0.0 is non-routable and a typical use in traffic would be in DHCP, in which an adaptor doesn't have an address assigned yet and the device sends out a DHCP request from 0.0.0.0 asking to be assigned a proper address. I'd ask for clarification, myself :-) On Mon, 23 Dec 2019, 07:53 Jake Anderson, wrote: > Hello > > Cross posted > > Out network vulnerability team has reported that there is a traffic between > 0.0.0.0 and LPAR IP. > > Does it mean 0.0.0.0 listen to all address and make server open to internet > ? > > I believe 0.0.0.0 belongs to BPXOINIT(OMVS) > > Regards > Jake > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
IP 0.0.0.0
Hello Cross posted Out network vulnerability team has reported that there is a traffic between 0.0.0.0 and LPAR IP. Does it mean 0.0.0.0 listen to all address and make server open to internet ? I believe 0.0.0.0 belongs to BPXOINIT(OMVS) Regards Jake -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN