Re: Weird IP

[Ansgar Wiechers <bugtraq () planetcobalt net>]

On 2009-01-30 Joseph Hanna wrote:
> I am working on a case of fraud in my little organisation where we are
> dealing with fraudulent credit cards. The only thing I can see is the
> IP address has been logged as 172.16.x.x but isn't that Class B
> internal? How are they doing this? I mean how are packets being routed
> between our web-server and that IP? Any recommendations other than my
> blanked block all Class A and Class B IPs?

Yes, 172.16.0.0/12 is a private IP address range, as specified by RFC
1918. However, there's no such thing as class A or class B networks in
this day and age anymore. Look up "Classless Inter-Domain Routing" to
understand why that is.

Anyway, usually it's no problem to send packets with private source IP
addresses, because few routers on the Internet bother to check the
source address field of a packet. It's pretty simple to do this kind of
spoofing for UDP connections. For TCP it's a lot harder, because the
protocol isn't stateless, but AFAIK it's doable if the attacker is able
to guess the sequence numbers of response packets. Also AFAIK, it's
legitimate (though not really a good idea) for a provider to use private
IP addresses inside his own network, as long as packets traversing his
network boundary are properly NATed. If the attacker and your server are
on the same ISP's network, the use of private addresses may be valid.

If the system was compromised, an attacker could also have altered the
logs to clear his trails.

For further help/analysis you need to give more information.

You may also want to contact the authorities (in case you haven't
already).

Regards
Ansgar Wiechers
-- 
"All vulnerabilities deserve a public fear period prior to patches
becoming available."
--Jason Coombs on Bugtraq