Security Incidents mailing list archives
Re: Strange traceroute
From: rquinn () SEC SPRINT NET (Rob Quinn)
Date: Tue, 8 Feb 2000 08:31:10 -0500
As I mentioned in some of my previous posts, some people use private IP range IP addresses [...] it works in most cases and doesn't interfere with anything but traceroute [...]
These routers could be sending you ICMP messages. If you're filtering external reserved IP's you'll miss those packets. Check out http://www.worldgate.com/~marcs/mtu/, "Path MTU Discovery and Filtering ICMP". The last paragraph:
So how can using RFC 1918 addresses for router links cause problems? On many routers, a separate IP address in the same subnet is required for each end of a point to point link. This can use address space if there are a large number of such links. Since the actual address of the links doesn't appear to impact much, many people use RFC 1918 private address space for such links. The blocks included in this are: 10.0.0.0 - 10.255.255.255 (10/8 prefix) 172.16.0.0 - 172.31.255.255 (172.16/12 prefix) 192.168.0.0 - 192.168.255.255 (192.168/16 prefix) If you are using such addresses, then ICMP messages (including "can't fragment" errors) will normally be generated using such addresses. Since many networks filter incoming traffic from such reserved addresses, the net result is the same as if all ICMP were being filtered and can cause the same problems.
-- | Opinions are _mine_, facts Rob Quinn | | are facts. (703)689-6582 | | rquinn () sec sprint net | | Sprint Corporate Security |
Current thread:
- Re: Private networks and home.{net|com}, (continued)
- Re: Private networks and home.{net|com} Andy Smith (Feb 09)
- massive unapproved AXFR's and odd rcvd NOTIFY's Paul Wouters (Feb 09)
- Re: massive unapproved AXFR's and odd rcvd NOTIFY's Francis A. Vidal (Feb 09)
- [UPDATE]Dos Trojan on Solaris Roderick Padilla (Feb 09)
- Re: [UPDATE]Dos Trojan on Solaris Ross Mueller (Feb 09)
- a very strange scan Boris Badenov (Feb 09)
- Re: a very strange scan Russell Fulton (Feb 10)
- Possible stacheldraht variant/probe Stephen P. Berry (Feb 09)
- Re: Possible stacheldraht variant/probe David Brumley (Feb 10)
- Re: [UPDATE]Dos Trojan on Solaris Robert Lau (Feb 09)
- Re: Strange traceroute Rob Quinn (Feb 08)
- vi as a suid Paulo Ribeiro (Feb 08)
- Re: Strange traceroute Hauke Johannknecht (Feb 08)
- Re: sendmail vunerability ? CyberPsychotic (Feb 07)
- Re: sendmail vunerability ? H D Moore (Feb 10)