While RFC1918 addresses should not be reachable over the public portions of the Internet, VERY few routers are configured to discard traffic which shows them (or any other bogus/impossible value) as a source. In general, routing and filtering look only at the destination address. Since these are not supposed to be valid destinations, it should not be possible to complete a TCP three-way handshake and establish a session with them over the Internet. However, this point is moot if the purpose of a packet is to do its damage without such a session, either by crafting of the initial SYN TCP packet, or using some connectionless protocol. Reality, therefore, is that packets from these source addresses are seen on the public Internet, and that any router/firewall/gateway at a security perimeter should drop them. Further detailed examination of these packets is left as an exercise for admins with spare time. Dave Gillett > -----Original Message----- > From: Michael Sierchio [mailto:kudzuat_private] > Sent: Wednesday, December 11, 2002 10:09 AM > To: Andrews, Jonathan (US - Hermitage) > Cc: 'Julian Young'; incidentsat_private > Subject: Re: Odd entries in my Security Router logs > > > Andrews, Jonathan (US - Hermitage) wrote: > > > 192.168.0.0/16 is a privately addressed netblock. These > packets could not > > be routed over the Internet. ... > > > Sadly, this is not invariably the case. Only recently did my > ISP respond to > months of complaints about routing from/to RFC 1918 addresses. > > > -------------------------------------------------------------- > -------------- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com > ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Dec 11 2002 - 14:08:18 PST