Security Incidents mailing list archives

RE: spoofed packets to RFC 1918 addresses

From: "Keith T. Morgan" <keith.morgan () terradon com>
Date: Fri, 28 Jun 2002 16:15:44 -0400

We've been seeing activity of this nature for months on most of our gateways.  I'm not sure where the ingress/egress 
filtering is applied at my ISP, so I'm not sure how far away (logically) the sender of the packets is.  We asked our 
ISP to monitor for them, but they were unwilling to dedicate very much router processing time to trapping the packets 
on our next hop upstream.  They basically said "call us when it's going on and we'll try and see what interface it's 
coming in on."  

I don't know about you guys, but the RFC1918 probes we've seen have been widely sporadic, and never last for more than 
a few packets at a time.  

I suppose (again, depending on where our providers apply thier filtering, if at all) it could be someone logically 
quite close with a misconfigured network interface.

Something worth mentioning:
IIRC the default subnet when using "windows connection sharing" is 192.168.1.0/24.  Could be misconfigured or leaking 
windows boxen sharing out thier little LANs.  However, we do occasionally see non 192.168.1.0/24 RFC1918 space hitting 
our borders.  This is far more rare.

-----Original Message-----
From: Robert E. Lee [mailto:rel () leefam org]
Sent: Wednesday, June 26, 2002 7:55 PM
To: Dirk Koopman
Cc: Incidents Mailing List
Subject: Re: spoofed packets to RFC 1918 addresses


On 26 Jun 2002, Dirk Koopman wrote:

There seems to be a "tool" about, which is somehow able to
detect valid rfc1918 addresses behind a NATed firewall and

is spoofing

from addresses using random (usually non-existant)

addresses from the

class C on the internet side of that firewall.


My organization saw some connection attempts to an rfc1918 
space on our
firewall in the past few days as well.  Specifically ip's in the
192.168.1.0/24 space, and specifically on tcp port 137.  The firewall
marked the packets as being spoofed, and dropped them.

<snip>

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

Current thread:

spoofed packets to RFC 1918 addresses Dirk Koopman (Jun 26)
- Re: spoofed packets to RFC 1918 addresses measl (Jun 27)
- RE: spoofed packets to RFC 1918 addresses Kent Hundley (Jun 27)
  - Re: spoofed packets to RFC 1918 addresses Barry Irwin (Jun 28)
- Re: spoofed packets to RFC 1918 addresses Daniel Polombo (Jun 27)
- Re: spoofed packets to RFC 1918 addresses jon schatz (Jun 27)
- Re: spoofed packets to RFC 1918 addresses Robert E. Lee (Jun 27)
- <Possible follow-ups>
- RE: spoofed packets to RFC 1918 addresses Shane Carroll (Jun 27)
- Fw: spoofed packets to RFC 1918 addresses HggdH (Jun 27)
- RE: spoofed packets to RFC 1918 addresses Sterling, Chuck (Jun 28)
- RE: spoofed packets to RFC 1918 addresses Keith T. Morgan (Jun 28)