Re: Odd entries in my Security Router logs

["HggdH" <hggdh () attbi com>]

This is one of the reasons I do not feel confortable with just one of the
cheap routersin between you and your ISP -- there is no guarantee your ISP
will filter RCF 1918 addresses out, nor that these routers will. You are
better off assuming it is up to you to filter them out.

In fact, these routers will _not_ filter it, since they themselves cannot
know what IP ranges should, or should not, be allowed in or out. This is,
right now, the trade-off on paying $50 for a (say) LinkSys router, as
opposed to $600 up for a Cisco.

AFAIK, the best option would be to have the router (LinkSys, NetGear, etc)
PLUS a firewall correctly configured to drop the addresses.

One detail here -- depending on your ISP, you have to allow for incoming
RCF1918 source addresses on ICMP responses, if you want traceroute to report
all hops. My ISP, for example, has a lot of routers on the 10.0.0.0 network.
----- Original Message ----- 
From: "James C. Slora Jr." <Jim.Slora () phra com>
To: "Andrews, Jonathan (US - Hermitage)" <joandrews () deloitte com>;
<incidents () securityfocus com>

| Private addresses _should_ not be routed. They can be and are routed with
| frustrating regularity. I get (and filter of course) private address
traffic
| from:
| ISP's equipment
| Forged packets
| Overloaded remote NAT devices or firewalls
| Misconfigured NAT
| Misconfigured complex Web sites
|
| Some ISPs filter it out and some don't.
|
| > If so, this would have to be something on your internal network
| broadcasting
| > this traffic.
|
| Probably so, but not necessarily. Depends on whether private addresses
were
| effectively filtered upstream of the network reporting the alert.
|


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com