Re: Strange traceroute

[dr () DURSEC COM (Dragos Ruiu)]

On Sat, 05 Feb 2000, CyberPsychotic wrote:
> On Thu, 3 Feb 2000 out of nowhere RB spoke:
> ~ :public address shows the 10.76.x.x address as the first hop. I posted it to
> ~ :this security list because it seemed strange that a private IP address would
> ~ :be displayed. I'm not thinking that I was comprimised or under attack, just
> ~ :a little curious.
>  As I mentioned in some of my previous posts, some people use private IP
> range IP addresses for point-to-point interfaces on multi-homed nodes.
> While it's not entirely correct (some sort of `ip unnumbered e0` is) it
> works in most cases and doesn't interfere with anything but traceroute
> as long as you don't use the node to establish outgoing connections..

@home cablemodems (LANcity and others) and some other Motorola based systems
(non-docsys) I've seen use private 10.*.*.* addresses to access the modems
themselves and internal routers.  You find the strangest things on cablemodems
and ADSL modems when you poke around them... like open telnet ports and other
wonderful enigmas. Have you nmapped your modem lately?

--
dursec.com / kyx.net - we're from the future                      http://www.dursec.com
learn kanga-foo from security experts: CanSecWest - April 19-21 Vancouver

Speakers: Ron Gula/NSW, Ken Williams/E&Y, Marty Roesch/Hiverworld, Fyodor/insecure.org,
          RainForestPuppy/wiretrip.net, Theo de Raadt/OpenBSD, Max Vision/whitehats.com