nanog mailing list archives
Re: 198.32.64.12 -- Harmless mis-route or potential exploit?
From: "Paul Wall" <pauldotwall () gmail com>
Date: Tue, 2 Sep 2008 18:44:44 -0400
Gadi, Could you please take the self-promotion offline already? Enough is enough! I don't think anybody on this list is interested in hiring you or reviewing your resume! (It could be argued that my post is off-topic as well. I disagree. Furthermore, it had to be done, given the lack of public face or consistent enforcement action of the current MLC.) Drive Slow, Paul Wall http://www.linkedin.com/in/paulwall On Tue, Sep 2, 2008 at 6:28 PM, Gadi Evron <ge () linuxbox org> wrote:
My profile and resume: http://www.linkedin.com/in/gadievron On Tue, 2 Sep 2008, Dan Mahoney, System Admin wrote:Hello all, While recently trying to debug a CEF issue, I found a good number of packets in my "debug cef drops" output that were all directed at 198.32.64.12 (which I see as being allocated to ep.net but completely unused). Sep 2 22:03:25: CEF-Drop: Packet for 198.32.64.12 -- no route Sep 2 22:03:25: CEF-Drop: Packet for 198.32.64.12 -- no route Sep 2 22:03:25: CEF-Drop: Packet for 198.32.64.12 -- no route Sep 2 22:03:25: CEF-Drop: Packet for 198.32.64.12 -- no route Sep 2 22:03:25: CEF-Drop: Packet for 198.32.64.12 -- no route Sep 2 22:03:25: CEF-Drop: Packet for 198.32.64.12 -- no route Sep 2 22:03:25: CEF-Drop: Packet for 198.32.64.12 -- no route Sep 2 22:03:25: CEF-Drop: Packet for 198.32.64.12 -- no route Now, as nearly as I can tell, this IP address has never been used for anything, but I see occasional references to it, such as here: http://www.honeynet.org/papers/forensics/exploit.html So the question is, should I just ignore this as a properly dropped packet due to "no route" (this provider is running defaultless, so unless such a route exists, it should be okay). On the other hand, one of the other packets I'm seeing specifically refers to a DNS exploit, so should I then dispatch to people to trace down the source origin ? (Suffice it to say the resources are there to find it fairly easily, even if the source address is forged).It should be treated as an intelligence source, sharing that one openly is probably counter-productive. Regardless, very interesting. I think follow-up just for interest's sake may be worth it.-Dan -- --------Dan Mahoney-------- Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org ---------------------------
Current thread:
- 198.32.64.12 -- Harmless mis-route or potential exploit? Dan Mahoney, System Admin (Sep 02)
- Re: 198.32.64.12 -- Harmless mis-route or potential exploit? Gadi Evron (Sep 02)
- Re: 198.32.64.12 -- Harmless mis-route or potential exploit? Paul Wall (Sep 02)
- self-promotion [was: 198.32.64.12 -- Harmless mis-route or potential exploit?] Patrick W. Gilmore (Sep 02)
- Re: self-promotion [was: 198.32.64.12 -- Harmless mis-route or potential exploit?] Steven M. Bellovin (Sep 02)
- Re: self-promotion [was: 198.32.64.12 -- Harmless mis-route or potential exploit?] Gadi Evron (Sep 02)
- Re: self-promotion [was: 198.32.64.12 -- Harmless mis-route or Joe Greco (Sep 03)
- Re: self-promotion [was: 198.32.64.12 -- Harmless mis-route or Steven M. Bellovin (Sep 03)
- Re: self-promotion [was: 198.32.64.12 -- Harmless mis-route or Lamar Owen (Sep 03)
- Re: 198.32.64.12 -- Harmless mis-route or potential exploit? Paul Wall (Sep 02)
- Re: 198.32.64.12 -- Harmless mis-route or potential exploit? Gadi Evron (Sep 02)
- Re: 198.32.64.12 -- Harmless mis-route or potential exploit? micky coughes (Sep 02)
- Re: 198.32.64.12 -- Harmless mis-route or potential exploit? Gadi Evron (Sep 02)