Re: Weird Packet

[Russell Fulton <r.fulton () AUCKLAND AC NZ>]

On Tue, 20 Feb 2001 10:53:33 -0500 Leon Rosenstein
<l_rosenstein () MONTELSHOW COM> wrote:

> Hi everyone.  I got this one packet last night (it was picked up by
> zonealarm) and I was wondering if I might call on the talented people on
> this list to help me learn how it was possible that the packet was on the
> internet in the first place.
>
> The firewall has blocked Internet access to your computer (NetBIOS Name)
> from 10.1.1.205 (NetBIOS Name).
>
> Time: 2/19/2001 21:51:48
>
> How is it possible to have that non-routable IP send a packet my system?

We see these all the time, sigh... ISPs who use these addresses
internally *should* filter so they never escape to the net at large, it
would appear that some don't (or don't do it effectively).  If the
packet gets out then it will be delivered to its destination address.

Most likely source is a windows box on some cable or dsl network which
has been compromised by a worm and is now scanning random addresses on
the net.  I suspect that some ISPs use NAT for tcp connections but
simply ignore udp.  Alternatively there are almost certainly a few
misconfigured routers where the filters have got mangled, everthing
works so unless someone looks who will ever know there is a problem.

Russell Fulton, Computer and Network Security Officer
The University of Auckland,  New Zealand