Security Incidents mailing list archives
Re: Weird Packet
From: Russell Fulton <r.fulton () AUCKLAND AC NZ>
Date: Wed, 21 Feb 2001 10:25:52 +1300
On Tue, 20 Feb 2001 10:53:33 -0500 Leon Rosenstein <l_rosenstein () MONTELSHOW COM> wrote:
Hi everyone. I got this one packet last night (it was picked up by zonealarm) and I was wondering if I might call on the talented people on this list to help me learn how it was possible that the packet was on the internet in the first place. The firewall has blocked Internet access to your computer (NetBIOS Name) from 10.1.1.205 (NetBIOS Name). Time: 2/19/2001 21:51:48 How is it possible to have that non-routable IP send a packet my system?
We see these all the time, sigh... ISPs who use these addresses internally *should* filter so they never escape to the net at large, it would appear that some don't (or don't do it effectively). If the packet gets out then it will be delivered to its destination address. Most likely source is a windows box on some cable or dsl network which has been compromised by a worm and is now scanning random addresses on the net. I suspect that some ISPs use NAT for tcp connections but simply ignore udp. Alternatively there are almost certainly a few misconfigured routers where the filters have got mangled, everthing works so unless someone looks who will ever know there is a problem. Russell Fulton, Computer and Network Security Officer The University of Auckland, New Zealand
Current thread:
- Weird Packet Leon Rosenstein (Feb 20)
- Re: Weird Packet Russell Fulton (Feb 20)
- Re: Weird Packet Ryan Russell (Feb 20)
- <Possible follow-ups>
- Re: Weird Packet Justin Shore (Feb 20)
- Re: Weird Packet Mike Ciavarella (Feb 21)
- Re: Weird Packet Bill Royds (Feb 21)