RE: spoofed packets to RFC 1918 addresses

From: Sterling, Chuck (csterlinat_private)
Date: Fri Jun 28 2002 - 07:27:21 PDT

Next message: zeno: "Re: 33 character encrypted passwords in /etc/shadow"

Previous message: McCammon, Keith: "RE: win2k server issue"
Maybe in reply to: Dirk Koopman: "spoofed packets to RFC 1918 addresses"
Next in thread: Keith T. Morgan: "RE: spoofed packets to RFC 1918 addresses"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

FWIW, how does one get the various Internet widgets to route packets
addressed to 192.168.*, especially to a different network? I was under the
impression that they were unroutable over the Internet. Is this incorrect,
or is someone messing with routing tables somewhere, or what? If this is
taking place I need some more education... probably do anyway.

The reason I ask is that when I see packets with 192.168.* or other
similarly defined addresses, it is invariably as a source address, and I
assume that, if it was done intentionally, the sender does not really expect
an answer (to an unroutable (?) address). So far as I know there have been
no inbound external packets addressed _to_ 192.168.*. If I saw some within
my net, I would hunt within my net for the transmitter. An example of this
is some leakage from a small SAN we have that uses 10.* addresses
internally. Occasionally I would see some of those hit the internal side of
the firewall, and after tracing them I found that more-or-less legitimate
source for them.

Chuck Sterling
Magic is REAL, unless declared INTEGER

> ----------
> From: 	HggdH[SMTP:hggdhat_private]
> Sent: 	Thursday, June 27, 2002 4:05 PM
> To: 	Incidents
> Subject: 	Fw: spoofed packets to RFC 1918 addresses
> 
> I wonder ... I just remembered that at least the Linksys DSL/Cable
> routers,
> by default, sit at 192.168.1.x; the DMZ is, usually, on the same subnet.
> 
> Would someone be looking for Windows hosts there? As Linksys puts it, a
> machine in the DMZ is completely exposed to the Internet. No firewall
> protection.
> 
> ..hggdh..
> ----- Original Message -----
> From: "Robert E. Lee" <relat_private>
> (snip)
> My organization saw some connection attempts to an rfc1918 space on our
> firewall in the past few days as well.  Specifically ip's in the
> 192.168.1.0/24 space, and specifically on tcp port 137.  The firewall
> marked the packets as being spoofed, and dropped them.
> (snip)
> 
> 
> --------------------------------------------------------------------------
> --
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management 
> and tracking system please see: http://aris.securityfocus.com
> 

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: zeno: "Re: 33 character encrypted passwords in /etc/shadow"
Previous message: McCammon, Keith: "RE: win2k server issue"
Maybe in reply to: Dirk Koopman: "spoofed packets to RFC 1918 addresses"
Next in thread: Keith T. Morgan: "RE: spoofed packets to RFC 1918 addresses"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Jun 28 2002 - 08:58:08 PDT