Security Incidents mailing list archives

Re: Strange traceroute

From: rquinn () SEC SPRINT NET (Rob Quinn)
Date: Tue, 8 Feb 2000 08:31:10 -0500

As I mentioned in some of my previous posts, some people use private IP range
IP addresses [...] it works in most cases and doesn't interfere with anything
but traceroute [...]


 These routers could be sending you ICMP messages. If you're filtering external
reserved IP's you'll miss those packets. Check out
http://www.worldgate.com/~marcs/mtu/, "Path MTU Discovery and Filtering ICMP".
The last paragraph:

So how can using RFC 1918 addresses for router links cause problems?

On many routers, a separate IP address in the same subnet is required for
each end of a point to point link. This can use address space if there are a
large number of such links. Since the actual address of the links doesn't
appear to impact much, many people use RFC 1918 private address space for
such links. The blocks included in this are:
   10.0.0.0 - 10.255.255.255 (10/8 prefix)
   172.16.0.0 - 172.31.255.255 (172.16/12 prefix)
   192.168.0.0 - 192.168.255.255 (192.168/16 prefix)
If you are using such addresses, then ICMP messages (including "can't
fragment" errors) will normally be generated using such addresses. Since many
networks filter incoming traffic from such reserved addresses, the net result
is the same as if all ICMP were being filtered and can cause the same
problems.


--
| Opinions are _mine_, facts                                     Rob Quinn |
| are facts.                                                 (703)689-6582 |
|                                                    rquinn () sec sprint net |
|                                                Sprint Corporate Security |

Current thread:

Re: Private networks and home.{net|com}, (continued)
- - - Re: Private networks and home.{net|com} Andy Smith (Feb 09)
    - massive unapproved AXFR's and odd rcvd NOTIFY's Paul Wouters (Feb 09)
    - Re: massive unapproved AXFR's and odd rcvd NOTIFY's Francis A. Vidal (Feb 09)
    - [UPDATE]Dos Trojan on Solaris Roderick Padilla (Feb 09)
    - Re: [UPDATE]Dos Trojan on Solaris Ross Mueller (Feb 09)
    - a very strange scan Boris Badenov (Feb 09)
    - Re: a very strange scan Russell Fulton (Feb 10)
    - Possible stacheldraht variant/probe Stephen P. Berry (Feb 09)
    - Re: Possible stacheldraht variant/probe David Brumley (Feb 10)
    - Re: [UPDATE]Dos Trojan on Solaris Robert Lau (Feb 09)
    - Re: Strange traceroute Rob Quinn (Feb 08)
    - vi as a suid Paulo Ribeiro (Feb 08)
  - Re: Strange traceroute Troy Ablan (Feb 05)
    - Re: Strange traceroute Hauke Johannknecht (Feb 08)
  - sendmail vunerability ? E Kelly Bond (Feb 05)
    - Re: sendmail vunerability ? CyberPsychotic (Feb 07)
    - Re: sendmail vunerability ? H D Moore (Feb 10)