RE: Traceroute Question

["Laurent Kempenaar" <laurent.kempenaar () cf6 lu>]

Hello,

Private ranges defined in RFC1918 are standard internal "non-routable"
addresses. These are the following ones :

192.168.0.0/16
172.16.0.0/12
10.0.0.0/8

This is only a convention. Any router is of course able route them (seems
evident but not always to everyone...). As Jorge said, it's part of the
responsibility of the ISP to filter those addresses.

Interresting fact in the pasted traceroute below is that no intermediate
router seems to filter them, which is very unhabitual if it is a public
network.

This could come from several possibilities :

ISP :
- no ACLs is configured on the ISP's router to filter private addresses
(cardinal sin #1)
- ACLs on ISP's routers are configured to check only destination addresses
(nat done by 62.150.42.1 when requesting and return flow allowed because the
check on the nated destination addresse (still 62.150.42.1) is correct).
- those flows are permitted for debugging purposes (should be VERY
temporary)

DESTINATION NETWORK :

- No inbound natting or filtering to internal active elements (cardinal sin
#2)

In other words, anyone could break-in destination network with a private
address. Of course it would be possible to traceback the attacker, but
simple filtering (osi level 3) could seriously increase network level
security.

Maybe some other things to say...

Regards,
laurent kempenaar
Security Consultant


-----Message d'origine-----
De : Jorge Coll [mailto:jc () commonx com]
Envoye : lundi, avril 07, 2003 5:22
A : Vineet Mehta
Cc : pen-test () securityfocus com
Objet : RE: Traceroute Question


Sometimes ISPs assign their internal routers an IP in this address range
(192.168.*.* / 10.*.*.* / etc).  These addresses aren't uniquely
addressable (i.e. you can't "ping" them from various locations and
expect either a response, or a response from that particular host.)  The
routers (especially border ones) are supposed to be configured NOT to
route these private ranges, so it is ok for them to use a non-public
address on these routers.

~ ).(.

-----Original Message-----
From: Vineet Mehta [mailto:vineet () linux com kw]
Sent: Monday, April 07, 2003 4:20 AM
To: pen-test () securityfocus com
Subject: Traceroute Question

Hi all,

While trying to do traceroute on one of the server i get the following
reply:

$traceroute a.b.c.d
 1  192.168.0.254 (192.168.0.254)  0.442 ms  0.397 ms  0.358 ms
 2  62.150.42.1 (62.150.42.1)  1.951 ms  1.315 ms  1.249 ms
 3  172.17.8.149 (172.17.8.149)  43.577 ms  23.481 ms  17.653 ms
 4  border.qualitynet.net (195.226.227.1)  19.935 ms  20.902 ms  21.896
ms
 5  isp.qualitynet.net (195.226.227.10)  19.928 ms  23.302 ms  21.839 ms
 6  192.168.226.38 (192.168.226.38)  71.321 ms  282.457 ms *

My Question is why I am getting 192.168.226.38 non-route able address
output in traceroute reply? As far as i think these private address
space is not route able on the internet.

Any sugestions?

Vineet


--------------------------------------------------------------
<b>Costs are climbing and complaints are rising
as SPAM overloads your e-mail servers and Inboxes
SurfControl E-mail Filter puts the brakes on spam & viruses
and gives you the reports to prove it.
http://www.securityfocus.com/SurfControl-pen-test2
Download a free trial and see just
what's going in and out of your organization. </b>


<b>
--------------------------------------------------------------
Costs are climbing and complaints are rising
as SPAM overloads your e-mail servers and Inboxes
SurfControl E-mail Filter puts the brakes on spam & viruses
and gives you the reports to prove it.
http://www.securityfocus.com/SurfControl-pen-test2
Download a free trial and see just
what's going in and out of your organization. 
--------------------------------------------------------------
</b>