Security Basics mailing list archives
Re: Weird IP
From: Ansgar Wiechers <bugtraq () planetcobalt net>
Date: Fri, 30 Jan 2009 16:45:16 +0100
On 2009-01-30 Joseph Hanna wrote:
I am working on a case of fraud in my little organisation where we are dealing with fraudulent credit cards. The only thing I can see is the IP address has been logged as 172.16.x.x but isn't that Class B internal? How are they doing this? I mean how are packets being routed between our web-server and that IP? Any recommendations other than my blanked block all Class A and Class B IPs?
Yes, 172.16.0.0/12 is a private IP address range, as specified by RFC 1918. However, there's no such thing as class A or class B networks in this day and age anymore. Look up "Classless Inter-Domain Routing" to understand why that is. Anyway, usually it's no problem to send packets with private source IP addresses, because few routers on the Internet bother to check the source address field of a packet. It's pretty simple to do this kind of spoofing for UDP connections. For TCP it's a lot harder, because the protocol isn't stateless, but AFAIK it's doable if the attacker is able to guess the sequence numbers of response packets. Also AFAIK, it's legitimate (though not really a good idea) for a provider to use private IP addresses inside his own network, as long as packets traversing his network boundary are properly NATed. If the attacker and your server are on the same ISP's network, the use of private addresses may be valid. If the system was compromised, an attacker could also have altered the logs to clear his trails. For further help/analysis you need to give more information. You may also want to contact the authorities (in case you haven't already). Regards Ansgar Wiechers -- "All vulnerabilities deserve a public fear period prior to patches becoming available." --Jason Coombs on Bugtraq
Current thread:
- Weird IP Joseph Hanna (Jan 30)
- Re: Weird IP Robin Wood (Jan 30)
- Re: Weird IP Ansgar Wiechers (Jan 30)