nanog mailing list archives
Re: 198.32.64.12 -- Harmless mis-route or potential exploit?
From: bmanning () vacation karoshi com
Date: Wed, 3 Sep 2008 12:42:48 +0000
well, actually.... this was the IP address used for l.root-servers.net from 1998-2008. so i guess you could say its never been used for anything. we are not currently routing that prefix and there should currently be nothing at that IP address. --bill On Tue, Sep 02, 2008 at 06:24:21PM -0400, Dan Mahoney, System Admin wrote:
Hello all, While recently trying to debug a CEF issue, I found a good number of packets in my "debug cef drops" output that were all directed at 198.32.64.12 (which I see as being allocated to ep.net but completely unused). Sep 2 22:03:25: CEF-Drop: Packet for 198.32.64.12 -- no route Sep 2 22:03:25: CEF-Drop: Packet for 198.32.64.12 -- no route Sep 2 22:03:25: CEF-Drop: Packet for 198.32.64.12 -- no route Sep 2 22:03:25: CEF-Drop: Packet for 198.32.64.12 -- no route Sep 2 22:03:25: CEF-Drop: Packet for 198.32.64.12 -- no route Sep 2 22:03:25: CEF-Drop: Packet for 198.32.64.12 -- no route Sep 2 22:03:25: CEF-Drop: Packet for 198.32.64.12 -- no route Sep 2 22:03:25: CEF-Drop: Packet for 198.32.64.12 -- no route Now, as nearly as I can tell, this IP address has never been used for anything, but I see occasional references to it, such as here: http://www.honeynet.org/papers/forensics/exploit.html So the question is, should I just ignore this as a properly dropped packet due to "no route" (this provider is running defaultless, so unless such a route exists, it should be okay). On the other hand, one of the other packets I'm seeing specifically refers to a DNS exploit, so should I then dispatch to people to trace down the source origin ? (Suffice it to say the resources are there to find it fairly easily, even if the source address is forged). -Dan -- --------Dan Mahoney-------- Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org ---------------------------
Current thread:
- Re: 198.32.64.12 -- Harmless mis-route or potential exploit?, (continued)
- Re: 198.32.64.12 -- Harmless mis-route or potential exploit? Aaron Glenn (Sep 02)
- Re: 198.32.64.12 -- Harmless mis-route or potential exploit? micky coughes (Sep 02)
- Re: 198.32.64.12 -- Harmless mis-route or potential exploit? Gadi Evron (Sep 02)
- Re: 198.32.64.12 -- Harmless mis-route or potential exploit? Aaron Glenn (Sep 02)
- Re: 198.32.64.12 -- Harmless mis-route or potential exploit? Steve Conte (Sep 02)
- Re: 198.32.64.12 -- Harmless mis-route or potential exploit? David Conrad (Sep 02)
- Re: 198.32.64.12 -- Harmless mis-route or potential exploit? Todd Underwood (Sep 02)
- Re: 198.32.64.12 -- Harmless mis-route or potential exploit? Christopher Morrow (Sep 02)
- Re: 198.32.64.12 -- Harmless mis-route or potential exploit? bmanning (Sep 03)
- Re: 198.32.64.12 -- Harmless mis-route or potential exploit? Christopher Morrow (Sep 03)
- Re: 198.32.64.12 -- Harmless mis-route or potential exploit? bmanning (Sep 03)
- Re: 198.32.64.12 -- Harmless mis-route or potential exploit? Todd Underwood (Sep 02)