Re: [FW1] Strange Log Entry

[Carl E. Mankinen]

Title: RE: [FW1] Strange Log Entry

I don't know if I would agree with that.   Lot's of ISP's use RFC1918 addressing AND DNS entries for the management of broadband/adsl networks. Usually the ADSL/Cablemodem will obtain an RFC1918 address during it's bootp process. This is used by network engineers for SNMP and other diagnostic tools. It's kind of handy to have DNS entries for those.   Sometimes the provider does not do a good job and allows those RFC1918 addresses to traverse the bridge so you might see them leaking across occassionally.   ============   How secure do you think your traffic is once it leaves your cable/dsl modem? (short answer, not at all unless it's encrypted and don't believe the MYTHS the ADSL providers will tell you...)   In the case of DOCSIS, it can be much more secure because a private session key is established between the headend router and your modem, however a LOT of these so called broadband modems are still not encrypting data via baseline privacy.   I have seen successfull hack attempts where a hacker coerced his modem into allowing him to run a DHCP server. He setup a scope that was at the top end of his subnet and passed out TWO gateway addresses. The first being his modem, and the 2nd the normal gateway for the subnet. He then setup a sniffer and had access to ALL traffic traversing his node. If his modem became too congested, they would still have the normal gateway so this went undetected for some time....   What if your users are using some of those spyware programs that track what URL's they are visiting? What if they access an "INTRAnet" site and pass along authentication information in the URL? Surely the spyware data miners now have it, and if somebody has tricked you into using the wrong gateway on your node...they probably have it too... ----- Original Message ----- From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Friday, January 05, 2001 5:04 PM Subject: RE: [FW1] Strange Log Entry I questioned my ISP about the address and here's what they said:         Michelle,         We have a reverse entry for some of our non-routable IP's entered into our DNS         server. This is just handy for us internally. So your source is 172.16.1.130. I guess that explains it. -----Original Message----- From: Steven Lee [mailto:[EMAIL PROTECTED]] Sent: Thursday, January 04, 2001 4:10 PM To: [EMAIL PROTECTED] Subject: Re: [FW1] Strange Log Entry First, turn off address resolution... you'll see that t130.uia.net is actually 172.16.1.130 ( a private RFC1918 address). Are you using 172.16 as an internal address? Second, you should tell your ISP that they shouldn't be populating their DNS with A records (and PTR records) for RFC1918 addresses. Steve [EMAIL PROTECTED] wrote: > > > I'm looking through my FW1 log because our T1 is up and running, but we can't > seem to get to the Internet, except email. I'm seeing entries in the log such > as: > >         Source          Destination >         t130.uia.net    msnbc.com > > The source is not from our network and the destination is not to our network, > so why the heck would that source be coming to us to get to msnbc?  BTW, > uia.net is our ISP. > > Any ideas? > > Thanks, Michelle > _____________________ > Michelle Johnston, MCSE4, CNE5 > Network Manager, NHRA > [EMAIL PROTECTED] -- Steven Lee, CISSP                  (206) 762-4000 x104 Senior Network Security Engineer   (206) 762-4400 FAX AVCOM Technologies, Inc.           (800) 817-9525 Pager 4636 E Marginal Way S, Ste B-100   http://www.avcom.com Seattle, WA 98134-2383             mailto:[EMAIL PROTECTED]