Re: 198.32.64.12 -- Harmless mis-route or potential exploit?

[David Conrad <drc () virtualized org>]

On Sep 2, 2008, at 3:24 PM, Dan Mahoney, System Admin wrote:
> While recently trying to debug a CEF issue, I found a good number of  
> packets in my "debug cef drops" output that were all directed at  
> 198.32.64.12 (which I see as being allocated to ep.net but  
> completely unused).

As Steve Conte pointed out, that is the address that used to be used  
for l.root-servers.net.  l.root-servers.net was renumbered almost a  
year ago, with the announcement of the old address turned off about 6  
months ago.

> So the question is, should I just ignore this as a properly dropped  
> packet due to "no route" (this provider is running defaultless, so  
> unless such a route exists, it should be okay).

Packets being sent to 198.32.64.12 most likely come from DNS caching  
servers that haven't had their hints updated.  In the ideal world, you  
could hunt down those machines and kick 'em in the head (that is,  
install a new hints file).  That they're unrouted is definitely the  
way things should be.

Regards,
-drc