Security Incidents mailing list archives
Re: Scans From 192.168.0.134
From: "Jon O." <jono () MICROSHAFT ORG>
Date: Thu, 1 Feb 2001 09:51:27 -0800
Doug seems to have sent this message because he didn't understand how these 'non-routable' addresses are getting picked up by his IDS that traverses his 'main' router. I assume main router means border router, or the router that carries his internet traffic. Also, the term 'non-routable' is really causing some problems for many people so I hope this can help stop the confusion. They are called non-routable because *you* are NOT SUPPOSED to route them. If you use these addresses in your LAN, block them from leaving your border with ACLs because they should be translated (to a routable, valid address) before they leave your network. Many ISPs block these addresses at the edges and core parts of their networks. I figure Doug's ISP might not block these addresses so a network close to his is sending these packets. I say close because they should have gotten picked off by some anti-spoofing, anti-RFC1918 ACLs if they hit an ISP with even a little clue. NMAP scans can send a bogus source, but you shouldn't be allowing RFC1918 addresses into or out of your network in the first place. If you see them, tell your ISP that you want them to block these addresses also. If you're not part of the solution... Thanks, Jon Chief Network Henchman http://www.securityreports.com On Thu, 1 Feb 2001, Alan Hannan wrote:
NMAP allows one to send bogus source IP addresses along w/ real prbes to obfuscate the source. Could it be that these scans are mated with other IP addresses? -alan Thus spake Douglas P. Brown (Doug () UNC EDU) on or about Thu, Feb 01, 2001 at 10:29:57AM -0500:We are somewhat preplexed - Our IDS reported 8000+ SYN FIN scans from a non-routable address (192.168.0.134) to thousands of ours hosts yesterday. Our IDS setup is only seeing traffic that traverses our main router. Has anyone seen this before? Am I missing something? Any advice or direction you can offer would be greatly appreciated. Cheers, -DpB -- Douglas P. Brown University of North Carolina I.T. Security Consultant 105 Abernethy Hall
Current thread:
- Scans From 192.168.0.134 Douglas P. Brown (Feb 01)
- Re: Scans From 192.168.0.134 Alan Hannan (Feb 01)
- Re: Scans From 192.168.0.134 Jon O. (Feb 01)
- Re: Scans From 192.168.0.134 Daniel Martin (Feb 01)
- Update: Scans From 192.168.0.134 Douglas P. Brown (Feb 01)
- Re: Scans From 192.168.0.134 Russell Fulton (Feb 01)
- Re: Scans From 192.168.0.134 Daniel Martin (Feb 02)
- <Possible follow-ups>
- Re: Scans From 192.168.0.134 James Crooks (Feb 01)
- Re: Scans From 192.168.0.134 Alan Hannan (Feb 01)