nanog mailing list archives
Re: 198.32.64.12 -- Harmless mis-route or potential exploit?
From: Gadi Evron <ge () linuxbox org>
Date: Tue, 2 Sep 2008 17:28:36 -0500 (CDT)
My profile and resume: http://www.linkedin.com/in/gadievron On Tue, 2 Sep 2008, Dan Mahoney, System Admin wrote:
Hello all,While recently trying to debug a CEF issue, I found a good number of packets in my "debug cef drops" output that were all directed at 198.32.64.12 (which I see as being allocated to ep.net but completely unused).Sep 2 22:03:25: CEF-Drop: Packet for 198.32.64.12 -- no route Sep 2 22:03:25: CEF-Drop: Packet for 198.32.64.12 -- no route Sep 2 22:03:25: CEF-Drop: Packet for 198.32.64.12 -- no route Sep 2 22:03:25: CEF-Drop: Packet for 198.32.64.12 -- no route Sep 2 22:03:25: CEF-Drop: Packet for 198.32.64.12 -- no route Sep 2 22:03:25: CEF-Drop: Packet for 198.32.64.12 -- no route Sep 2 22:03:25: CEF-Drop: Packet for 198.32.64.12 -- no route Sep 2 22:03:25: CEF-Drop: Packet for 198.32.64.12 -- no routeNow, as nearly as I can tell, this IP address has never been used for anything, but I see occasional references to it, such as here:http://www.honeynet.org/papers/forensics/exploit.htmlSo the question is, should I just ignore this as a properly dropped packet due to "no route" (this provider is running defaultless, so unless such a route exists, it should be okay).On the other hand, one of the other packets I'm seeing specifically refers to a DNS exploit, so should I then dispatch to people to trace down the source origin ? (Suffice it to say the resources are there to find it fairly easily, even if the source address is forged).
It should be treated as an intelligence source, sharing that one openly is probably counter-productive.
Regardless, very interesting. I think follow-up just for interest's sake may be worth it.
-Dan -- --------Dan Mahoney-------- Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org ---------------------------
Current thread:
- 198.32.64.12 -- Harmless mis-route or potential exploit? Dan Mahoney, System Admin (Sep 02)
- Re: 198.32.64.12 -- Harmless mis-route or potential exploit? Gadi Evron (Sep 02)
- Re: 198.32.64.12 -- Harmless mis-route or potential exploit? Paul Wall (Sep 02)
- self-promotion [was: 198.32.64.12 -- Harmless mis-route or potential exploit?] Patrick W. Gilmore (Sep 02)
- Re: self-promotion [was: 198.32.64.12 -- Harmless mis-route or potential exploit?] Steven M. Bellovin (Sep 02)
- Re: self-promotion [was: 198.32.64.12 -- Harmless mis-route or potential exploit?] Gadi Evron (Sep 02)
- Re: self-promotion [was: 198.32.64.12 -- Harmless mis-route or Joe Greco (Sep 03)
- Re: self-promotion [was: 198.32.64.12 -- Harmless mis-route or Steven M. Bellovin (Sep 03)
- Re: self-promotion [was: 198.32.64.12 -- Harmless mis-route or Lamar Owen (Sep 03)
- Re: 198.32.64.12 -- Harmless mis-route or potential exploit? Paul Wall (Sep 02)
- Re: 198.32.64.12 -- Harmless mis-route or potential exploit? Gadi Evron (Sep 02)
- Re: 198.32.64.12 -- Harmless mis-route or potential exploit? micky coughes (Sep 02)
- Re: 198.32.64.12 -- Harmless mis-route or potential exploit? Gadi Evron (Sep 02)