Security Basics mailing list archives

Re: Weird IP

From: Gary Douglas <dougary () gmail com>
Date: Mon, 2 Feb 2009 05:21:13 -0600

You might want to look into putting in a egress filter. On the networkedge device set up a ACL to drop all private IP's from entering yournetwork. You should also set up a filter to only allow your IP addressrange out. Both of these are common practice.


Thank you
Gary Douglas



On Jan 30, 2009, at Jan 30, 20099:45 AM, Ansgar Wiechers wrote:

On 2009-01-30 Joseph Hanna wrote:

I am working on a case of fraud in my little organisation where weare
dealing with fraudulent credit cards. The only thing I can see is the
IP address has been logged as 172.16.x.x but isn't that Class B
internal? How are they doing this? I mean how are packets beingrouted
between our web-server and that IP? Any recommendations other than my
blanked block all Class A and Class B IPs?


Yes, 172.16.0.0/12 is a private IP address range, as specified by RFC
1918. However, there's no such thing as class A or class B networks in
this day and age anymore. Look up "Classless Inter-Domain Routing" to
understand why that is.

Anyway, usually it's no problem to send packets with private source IP
addresses, because few routers on the Internet bother to check the

source address field of a packet. It's pretty simple to do this kindof

spoofing for UDP connections. For TCP it's a lot harder, because the

protocol isn't stateless, but AFAIK it's doable if the attacker isable

to guess the sequence numbers of response packets. Also AFAIK, it's

legitimate (though not really a good idea) for a provider to useprivate

IP addresses inside his own network, as long as packets traversing his

network boundary are properly NATed. If the attacker and your serverare

on the same ISP's network, the use of private addresses may be valid.

If the system was compromised, an attacker could also have altered the
logs to clear his trails.

For further help/analysis you need to give more information.

You may also want to contact the authorities (in case you haven't
already).

Regards
Ansgar Wiechers
--
"All vulnerabilities deserve a public fear period prior to patches
becoming available."
--Jason Coombs on Bugtraq

Current thread:

Re: Weird IP anastasiosm (Feb 02)
- <Possible follow-ups>
- Re: Re: Weird IP si-n-ka-o-res-t (Feb 02)
  - RE: Re: Weird IP Murda Mcloud (Feb 03)
- Re: Weird IP Andre Pawlowski (Feb 02)
- Re: Weird IP Gary Douglas (Feb 02)
- Re: Weird IP batman (Feb 02)
- Re: Weird IP Ricardo Carrillo (Feb 02)
  - Re: Weird IP Debarko De (Feb 03)
    - RE: Weird IP Prodigi Child (Feb 04)
  - Re: Weird IP Myles (Feb 03)
- Re: Re: Weird IP tim (Feb 04)
- Re: Weird IP Venky Shankar (Feb 04)