Re: My ISP is routing traffic to private addresses...

[Gary Baribault <gary () baribault net>]

I'm having a little trouble understanding the problem here .. my ISP
uses public addresses for our cable modems. I host an SSH server at
home, and given my nightly logs, I can guarantee that it's accessible
from the wide wed ;-), if the intermediate routers in the ISP's network
use 10.x.x.x/8 space, who cares? No one but their techs need to access
them, I assume they filter 'private' addresses at their edge so that
10.x.x.x, 192.168.x.x and 172.16.0.0-172.31.255.255 addresses don't leak
to the net. The only problem is that anyone on a cable modem could
access their 10.x.x.x/8 address space and frankly who cares. I don't see
anything wrong with this practice.

Gary Baribault
Courriel: gary () baribault net
GPG Key: 0x685430d1
Fingerprint: 9E4D 1B7C CB9F 9239 11D9 71C3 6C35 C6B7 6854 30D1

On 05/17/2013 03:20 PM, Joshua Zukerman wrote:
> Time Warner Cable (roadrunner) used to have this problem. They used
> the 10.x.x.x in various subnet masks for backend management IP
> addresses on all of their customer cable modems, plus whatever other
> network equipment they had. 2600 mag had an article a few years ago
> discussing this very issue. I assume RCN is also a cable internet
> provider, so my guess is your issue is one in the same. I can safely
> report that TWC is now filtering out those from the ethernet side of
> the cable modem (has been for about a year or so), so I cannot see any
> other 10.x.x.x networks outside of my own. Probably done via the cable
> modem config & ACLs.
>
>
> On Fri, May 17, 2013 at 3:08 PM, kyle kemmerer <krkemmerer () gmail com
> <mailto:krkemmerer () gmail com>> wrote:
>
>     So today when trying to access a device on my network (172.30.x.x
>     range) I was taken to the web interface of a completely different
>     device.  This baffled me at first, but after a bit of poking
>     around, I determined that my ISP was actually routing traffic to
>     these addresses.  See the trace below
>
>
>     Tracing route to 172.30.4.18 over a maximum of 30 hops
>
>       1    11 ms    18 ms    19 ms  XXXXXXXXX
>       2    30 ms   178 ms   212 ms  vl4.aggr1.phdl.pa.rcn.net
>     <http://vl4.aggr1.phdl.pa.rcn.net> [208.59.252.1]
>       3    13 ms    18 ms    13 ms  tge0-1-0-0.core1.phdl.pa.rcn.net
>     <http://tge0-1-0-0.core1.phdl.pa.rcn.net> [207.172.15.50]
>
>       4    37 ms    39 ms    57 ms  tge0-0-0-2.core1.lnh.md.rcn.net
>     <http://tge0-0-0-2.core1.lnh.md.rcn.net> [207.172.19.227]
>
>       5    35 ms    34 ms    32 ms  tge0-1-0-1.core1.chgo.il.rcn.net
>     <http://tge0-1-0-1.core1.chgo.il.rcn.net> [207.172.19.235
>     ]
>       6    42 ms    38 ms    39 ms  port-chan13.aggr2.chgo.il.rcn.net
>     <http://port-chan13.aggr2.chgo.il.rcn.net> [207.172.15.20
>     1]
>       7    37 ms    39 ms    39 ms
>      port-chan1.mart-ubr1.chi-mart.il.cable.rcn.net
>     <http://port-chan1.mart-ubr1.chi-mart.il.cable.rcn.net> [
>     207.229.191.132]
>       8    57 ms    61 ms    53 ms  172.30.4.18
>
>     Trace complete.
>
>
>     So I break out nmap and do a quick scan, and find that there are
>     thousands of these devices across this IP range.  Has anybody ever
>     seen anything like this?  Surely this must be a mistake, right? If
>     anybody else is using RCN as an ISP, can you access these
>     addresses as well?
>
>
>
>
>
>     _______________________________________________
>     Full-Disclosure - We believe in it.
>     Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>     Hosted and sponsored by Secunia - http://secunia.com/
>
>
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/