Why does the Threat Logs show source and destination IP addresses as 0.0.0.0 for detected and blocked TCP flood attacks

Why does the Threat Logs show source and destination IP addresses as 0.0.0.0 for detected and blocked TCP flood attacks

66842
Created On 07/24/19 19:31 PM - Last Modified 07/29/25 22:11 PM


Question


Why does the Threat Logs show source and destination IP addresses as 0.0.0.0 for detected and blocked TCP flood attacks?

User-added image

Environment


  • Any PAN-OS.
  • Palo Alto Firewall.

 

Answer


TCP flood attacks are usually originated from various source IP addresses and are destined for various destination IP addresses.
If the TCP flood attack is blocked by a Zone Protection Profile or a DoS aggregate profile, then threat logs show source and destination IP addresses as 0.0.0.0. 

In order to identify the attacker's IP address, configure a DoS protection classified profile.

Information on configuring DoS Protection profile can be found here.

 

Additional Information


DEFENDING FROM DOS AND VOLUMETRIC DDOS ATTACKS
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PMRqCAO&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language