Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    0.0.0.0 floods

    Scheduled Pinned Locked Moved General pfSense Questions
    4 Posts 3 Posters 2.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      j2sw
      last edited by

      Hey all,
      I have been dealing with a problem on a network for awhile now and can't
      seem to put my finger on it.

      About 3-4 times a day I get these floods that I believe are bootp floods. I installed darkstat and it is saying port 68 is about half the traffic when this happens. The other half is ICMP.

      I have etherreal, wireshark, darkstat, and some other tools all collecting
      data. I have several dumps if anyone is interested. The Mac addresses in
      the raw packets are almost always different. I do not seem to see a
      pattern. Etherreal reports both source and destination as 0.0.0.0. The
      floods seem to be crossing routers. I have blocked all ICMP traffic at the
      router levels.

      Ideas, methods to track it down further or what it could be? If it is a
      "smurf" attack should i not see  the source or destination mac address?

      Thanks in advance,
      Justin

      1 Reply Last reply Reply Quote 0
      • J
        jeroen234
        last edited by

        are these floods at the same times as that you dhcp client leases are to be renewed?

        1 Reply Last reply Reply Quote 0
        • J
          j2sw
          last edited by

          no, leases are set to 7 days. This happens 2-3 times a day at least.

          1 Reply Last reply Reply Quote 0
          • H
            hoba
            last edited by

            Looks like someone is doing some macflooding (see http://www.securesphere.net/download/papers/SwitchSniff.htm ):

            MAC Flooding
            Switches keep a translation table that maps various MAC addresses to the physical ports on the switch. As a result of this, a switch can intelligently route packets from one host to another, but it has a limited memory for this work. MAC flooding makes use of this limitation to bombard the switch with fake MAC addresses until the switch can't keep up. The switch then enters into what is known as a `failopen mode', wherein it starts acting as a hub by broadcasting packets to all the machines on the network. Once that happens sniffing can be performed easily. MAC flooding can be performed by using macof, a utility which comes with dsniff suite.

            [root@tachyon dhar]# macof
            77:6b:e1:6e:5e:8c 93:2d:ed:45:f9:e3 0.0.0.0.45702 > 0.0.0.0.11000: S 1847390231:1847390231(0) win 512
            84:a4:d3:57:ef:8 12:56:52:42:dc:95 0.0.0.0.16630 > 0.0.0.0.3031: S 1484147693:1484147693(0) win 512
            88:f0:9:3f:18:89 d:86:53:53:d7:f8 0.0.0.0.15535 > 0.0.0.0.7466: S 293820390:293820390(0) win 512

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.