udp connections from ip address 0.0.0.0????

phpAddict

Active Member
So this morning I've received two emails from lfd saying "0.0.0.0 (-/-/-) blocked with too many connections"

Below is the body of the message. I feel I've become fairly familiar with lfd and I've seen IP addresses get blocked but not a blank 0.0.0.0 IP address. Also, I've never seen too many connections from each and every single IP address on my server. Hackers usually only target 1 IP address. Is this a script on my server trying to do something unusual? Any ideas guys?

udp: 0.0.0.0:0 -> My-IP-Address-1:123 (CLOSE)
udp: 0.0.0.0:0 -> My-IP-Address-2:123 (CLOSE)
udp: 0.0.0.0:0 -> My-IP-Address-3:123 (CLOSE)
udp: 0.0.0.0:0 -> My-IP-Address-4:123 (CLOSE)
udp: 0.0.0.0:0 -> My-IP-Address-5:123 (CLOSE)
udp: 0.0.0.0:0 -> My-IP-Address-6:123 (CLOSE)
udp: 0.0.0.0:0 -> My-IP-Address-7:123 (CLOSE)
udp: 0.0.0.0:0 -> My-IP-Address-8:123 (CLOSE)
udp: 0.0.0.0:0 -> 0.0.0.0:123 (CLOSE)
udp: 0.0.0.0:0 -> My-IP-Address-8:53 (CLOSE)
udp: 0.0.0.0:0 -> My-IP-Address-1:53 (CLOSE)
udp: 0.0.0.0:0 -> My-IP-Address-2:53 (CLOSE)
udp: 0.0.0.0:0 -> My-IP-Address-3:53 (CLOSE)
udp: 0.0.0.0:0 -> My-IP-Address-4:53 (CLOSE)
udp: 0.0.0.0:0 -> My-IP-Address-5:53 (CLOSE)
udp: 0.0.0.0:0 -> My-IP-Address-6:53 (CLOSE)
udp: 0.0.0.0:0 -> My-IP-Address-7:53 (CLOSE)
udp6: 0.0.0.0:0 -> 0.0.0.9:123 (CLOSE)
udp6: 0.0.0.0:0 -> 0.0.0.8:123 (CLOSE)
udp6: 0.0.0.0:0 -> 0.0.0.7:123 (CLOSE)
udp6: 0.0.0.0:0 -> 0.0.0.6:123 (CLOSE)
udp6: 0.0.0.0:0 -> 0.0.0.5:123 (CLOSE)
udp6: 0.0.0.0:0 -> 0.0.0.4:123 (CLOSE)
udp6: 0.0.0.0:0 -> 0.0.0.3:123 (CLOSE)
udp6: 0.0.0.0:0 -> 0.0.0.2:123 (CLOSE)
udp6: 0.0.0.0:0 -> 0.0.0.0:123 (CLOSE)
 
Hey Josh,

I can't be too sure with out actually logging in and taking a look, however it's possible that this could be from your ColdFusion install. (Or is this a different server?)

0.0.0.0 has a couple of different meanings, but in this context, when a server is told to listen on 0.0.0.0 that means "listen on every available network interface". The loopback adapter with IP address 127.0.0.1 from the perspective of the server process looks just like any other network adapter on the machine, so a server told to listen on 0.0.0.0 will accept connections on that interface too.
 
It's a very different server. My CF server is a VM on my local machine far away from my production server at KH. I'll submit a ticket and request you to take a look if I can do that.
 
@phpAddict If it were me personally, I wouldn't whitelist it but that is because I'm not completely sure where all it would be used. In your situation, it was just NTPD and DNS, which we can see because of the ports, port 123 and port 53. I would definitely remove the block though and reconsider whitelisting if it continues to happen and looks to be trusted every time.
 
Top