RE: Odd entries in my Security Router logs

From: David Gillett (gillettdavidat_private)
Date: Wed Dec 11 2002 - 12:59:12 PST

Next message: larosa, vjay: "DNS help"

Previous message: James C. Slora Jr.: "Re: Odd entries in my Security Router logs"
In reply to: Michael Sierchio: "Re: Odd entries in my Security Router logs"
Next in thread: Valdis.Kletnieksat_private: "Re: Odd entries in my Security Router logs"
Next in thread: James C. Slora Jr.: "Re: Odd entries in my Security Router logs"
Reply: Valdis.Kletnieksat_private: "Re: Odd entries in my Security Router logs"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

  While RFC1918 addresses should not be reachable over the
public portions of the Internet, VERY few routers are 
configured to discard traffic which shows them (or any 
other bogus/impossible value) as a source.  In general, 
routing and filtering look only at the destination 
address.
  Since these are not supposed to be valid destinations,
it should not be possible to complete a TCP three-way
handshake and establish a session with them over the 
Internet.  However, this point is moot if the purpose
of a packet is to do its damage without such a session,
either by crafting of the initial SYN TCP packet, or 
using some connectionless protocol.

  Reality, therefore, is that packets from these source 
addresses are seen on the public Internet, and that any
router/firewall/gateway at a security perimeter should
drop them.
  Further detailed examination of these packets is left
as an exercise for admins with spare time.

Dave Gillett

> -----Original Message-----
> From: Michael Sierchio [mailto:kudzuat_private]
> Sent: Wednesday, December 11, 2002 10:09 AM
> To: Andrews, Jonathan (US - Hermitage)
> Cc: 'Julian Young'; incidentsat_private
> Subject: Re: Odd entries in my Security Router logs
> 
> 
> Andrews, Jonathan (US - Hermitage) wrote:
> 
> > 192.168.0.0/16 is a privately addressed netblock.  These 
> packets could not
> > be routed over the Internet. ...
> 
> 
> Sadly, this is not invariably the case.  Only recently did my 
> ISP respond to
> months of complaints about routing from/to RFC 1918 addresses.
> 
> 
> --------------------------------------------------------------
> --------------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management 
> and tracking system please see: http://aris.securityfocus.com
> 

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: larosa, vjay: "DNS help"
Previous message: James C. Slora Jr.: "Re: Odd entries in my Security Router logs"
In reply to: Michael Sierchio: "Re: Odd entries in my Security Router logs"
Next in thread: Valdis.Kletnieksat_private: "Re: Odd entries in my Security Router logs"
Next in thread: James C. Slora Jr.: "Re: Odd entries in my Security Router logs"
Reply: Valdis.Kletnieksat_private: "Re: Odd entries in my Security Router logs"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Dec 11 2002 - 14:08:18 PST