Security Basics mailing list archives
RE: 192.168.x.x oddities
From: "Jimmy Brokaw" <hedgie () hedgie com>
Date: Tue, 15 Jun 2004 21:31:56 -0400 (EDT)
I got a lot of helpful replies, both on and off list, which prompted me to do a little deeper digging. I'll try to answer everyone's questions collectively, rather than answering twenty seperate e-mails. Excluding my computers, broadcast addresses, and network addresses, the "rouge" addresses left were: 192.168.18.254 192.168.19.1 192.168.19.254 192.168.100.1 After doing traceroutes, I got the following: 192.168.18.254 - packet reaches gateway, then an unidentified computer registered to my ISP, then is blocked thereafter. All hops are public IPs. 192.168.19.1 - packet reaches gateway, then the same unid'd computer as before, then 172.18.240.1 -- another RFC 1918 address, then reaches 192.168.19.1. 192.168.19.254 - Same as .1, except it stops at 172.18.240.1 (Does this mean both addresses are the same machine?) 192.168.100.1 - Goes through my router and stops. I quickly deduced this was my cable modem, and a quick port scan confirmed this. So, my list of "rouge" addresses is down to three: 192.168.18.254 192.168.19.1 192.168.19.254 192.168.18.254 has no open ports to help identify it. Most ports are closed, some (netbios, subseven, and a few others) are filtered. No idea what this machine is. 192.168.19.1 has a lot of open ports, including ftp, telnet, smtp, time, sunrpc, X11 (6000), and quite a few more. NMap failed to id the OS, although the open ports gives a little clue. I'm sure I could find more out with banner grabs, but I'm not positive how the ISP would look at that. 192.168.19.254 has telnet, 2001, and 6001 open. Again, no OS fingerprint. To answer the question of several people, no, these are not computers connected via wifi. If my security, authentication, and logging weren't enough to demonstrate it, the traceroutes should. And besides, they stay if I disable the wifi. :) And yes, the cable company issues me a public IP address Right now my NetGear router is using 192.168.0.* as the private address range, with a subnet mask of 255.255.255.0. Again, I'm not an expert by any means. I'm assuming that if I change that mask to 255.255.0.0, I'll lose the ability to see these machines - is this correct? I was also thinking of leaving the common 192.168.*.* range for other RFC 1918 address blocks, but the 172.18.240.1 address that appeared in my previous traceroute makes me think that there are other RFC 1918 addresses out there. I understand my router *ought* to not route RFC 1918 traffic out to the Net, but there doesn't appear to be any options to restrict it (unless I program static routes for them all). It also seems the ISP *ought* to filter that traffic originating from cable modems. At this point I'm very close to calling the ISP and telling them about the problem. Getting ahold of an intelligent person might prove difficult, but I'm guessing that calling or e-mailing the TechName from the WHOIS database might prove the best starting point (as opposed to Tech Support, irk). What I'd really like to grasp before doing that is: (1) Is there any legitimate reason why I ought to be able to reach out to RFC 1918 IP addresses from my network? Someone mentioned TFTP for cable modem updates, but I don't see why that can't be done with public IP addresses. I also seriously doubt these machines fall in that category. (2) Are there real security concerns with this configuration? Intuitively it sounds "wrong," and a few people echoed that. But I don't know of any explicit reason for it to be so, other than the fact that future sysadmins may "assume" that those computers are on a private network when in fact all customers have access to them. (3) Is this a "normal" configuration? I got two responses referring to ISPs that assign customers private IP addresses, but that isn't the case here. Additionally, a traceroute from my computer goes out to public IP addresses and then *back* into the private IP ranges. -- \\\\\ hedgie () hedgie com \\\\\\\__o Bringing hedgehogs to the common folk since 1994. __\\\\\\\'/________________________________________________________ Visit http://www.hedgie.com for information on my latest book, "Waiting for War," published by Aventine Press! --------------------------------------------------------------------------- Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html ----------------------------------------------------------------------------
Current thread:
- 192.168.x.x oddities Jimmy Brokaw (Jun 15)
- Re: 192.168.x.x oddities JGrimshaw (Jun 16)
- RE: 192.168.x.x oddities Nathaniel Hall (Jun 16)
- Re: 192.168.x.x oddities Ranjeet Shetye (Jun 18)
- Re: 192.168.x.x oddities steve (Jun 21)
- RE: 192.168.x.x oddities Burton M. Strauss III (Jun 21)
- <Possible follow-ups>
- RE: 192.168.x.x oddities Shawn Jackson (Jun 16)
- RE: 192.168.x.x oddities Jimmy Brokaw (Jun 21)
- Re: 192.168.x.x oddities steve (Jun 23)
- RE: 192.168.x.x oddities David Gillett (Jun 24)
- RE: 192.168.x.x oddities Jimmy Brokaw (Jun 21)
- RE: 192.168.x.x oddities Mike (Jun 17)
- RE: 192.168.x.x oddities Shawn Jackson (Jun 17)
- RE: 192.168.x.x oddities Keith T. Morgan (Jun 24)