Security Incidents mailing list archives

Re: Odd snmp scans from 10.0.0.0/8 address ???

From: xm () GEEKMAFIA DYNIP COM (Ex Machina)
Date: Thu, 27 Apr 2000 16:46:01 -0400


Interestingly enough, I've noticed that a LOT of large isps use 10.* for
routers/stuff within their network. It is one of the reasons that you'll
see random hops missing in traceroutes.

Ex Machina (xm () geekmafia dynip com)    http://geekmafia.dynip.com/~xm/
phone:  1-877-LPT-WHIP         icq:  3387005           aim:  ExMachina
GnuPG Keyprint:     0627 C3A8 DE25 F7FB 46BD  4870 2006 CF7F EBDA 949D

On Thu, 27 Apr 2000, Wes Hardaker wrote:

Date: Thu, 27 Apr 2000 07:55:28 -0700
From: Wes Hardaker <wjhardaker () UCDAVIS EDU>
To: INCIDENTS () SECURITYFOCUS COM
Subject: Re: Odd snmp scans from 10.0.0.0/8 address ???

On Wed, 26 Apr 2000 17:06:50 +1200, Russell Fulton <r.fulton () AUCKLAND AC NZ> said:


Russell> A few days ago we saw a series of scans that varied the 3rd
Russell> octect of the IP address (see argus logs below).  These scans
Russell> appeared to be part of a much wider scan perhaps all of 130/8
Russell> as the scans repeated every couple of hours with a new final
Russell> octet.

But if they're coming from the 10.x.x.x block, then they are quite
possibly coming from internally to your site since no one should be
routing those packets through the net in the first place.

It's probably someone at your site running network management software
thats doing a map of the network.

--
Wes Hardaker
Distributed Computing Analysis and Support
University of California at Davis

Current thread:

Re: Odd snmp scans from 10.0.0.0/8 address ??? Wes Hardaker (Apr 27)
- Re: Odd snmp scans from 10.0.0.0/8 address ??? Ex Machina (Apr 27)