Security Incidents mailing list archives
RE: Odd entries in my Security Router logs
From: "David Gillett" <gillettdavid () fhda edu>
Date: Wed, 11 Dec 2002 12:59:12 -0800
While RFC1918 addresses should not be reachable over the public portions of the Internet, VERY few routers are configured to discard traffic which shows them (or any other bogus/impossible value) as a source. In general, routing and filtering look only at the destination address. Since these are not supposed to be valid destinations, it should not be possible to complete a TCP three-way handshake and establish a session with them over the Internet. However, this point is moot if the purpose of a packet is to do its damage without such a session, either by crafting of the initial SYN TCP packet, or using some connectionless protocol. Reality, therefore, is that packets from these source addresses are seen on the public Internet, and that any router/firewall/gateway at a security perimeter should drop them. Further detailed examination of these packets is left as an exercise for admins with spare time. Dave Gillett
-----Original Message----- From: Michael Sierchio [mailto:kudzu () tenebras com] Sent: Wednesday, December 11, 2002 10:09 AM To: Andrews, Jonathan (US - Hermitage) Cc: 'Julian Young'; incidents () securityfocus com Subject: Re: Odd entries in my Security Router logs Andrews, Jonathan (US - Hermitage) wrote:192.168.0.0/16 is a privately addressed netblock. Thesepackets could notbe routed over the Internet. ...Sadly, this is not invariably the case. Only recently did my ISP respond to months of complaints about routing from/to RFC 1918 addresses. -------------------------------------------------------------- -------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- RE: Odd entries in my Security Router logs Jim Terry (Dec 11)
- RE: Odd entries in my Security Router logs Julian Young (Dec 11)
- <Possible follow-ups>
- RE: Odd entries in my Security Router logs Andrews, Jonathan (US - Hermitage) (Dec 11)
- RE: Odd entries in my Security Router logs Julian Young (Dec 11)
- Re: Odd entries in my Security Router logs Michael Sierchio (Dec 11)
- RE: Odd entries in my Security Router logs David Gillett (Dec 11)
- Re: Odd entries in my Security Router logs Valdis . Kletnieks (Dec 12)
- Re: Odd entries in my Security Router logs Valdis . Kletnieks (Dec 12)
- Re: Odd entries in my Security Router logs James C. Slora Jr. (Dec 11)
- Re: Odd entries in my Security Router logs HggdH (Dec 12)