On Tue, Aug 19, 2025 at 3:56 PM, Jonathan Kalbfeld <[email protected]> wrote:
> There are other reasons to do it intentionally. > Yup, there are other intentional places where you can emit packets which are not announced. For example, the Reserved IPv4 Dummy Address (192.0.0.8): RFC7600 - "IPv4 Residual Deployment via IPv6 - A Stateless Solution (4rd)" <https://datatracker.ietf.org/doc/rfc7600/> Sec 4.6: "R-22: If a CE or BR receives an ICMPv6 error message [RFC4443], it MUST synthesize an ICMPv4 error packet [RFC792]. This packet MUST contain the first 8 octets of the discarded packet's IP payload. The reserved IPv4 dummy address (192.0.0.8/32; see Section 6) MUST be used as its source address." W You can use 10/8 to exfiltrate data. So you could have a receiving system > that catalogs every 10.x IP address and then assembles them in order for a > bit stream. You can exfiltrate data pretty quickly. Think of it like a > number station. > > Jonathan Kalbfeld > > office: +1 310 317 7933 > fax: +1 310 317 7901 > home: +1 310 317 7909 > mobile: +1 310 227 1662 > > ThoughtWave Technologies, Inc. > Studio City, CA 91604 > > https://thoughtwave.com > > View our network at > > https://bgp.he.net/AS54380 > > +1 844 42-LINUX > > On Aug 19, 2025 at 12:13 PM, Joe Greco via NANOG <[email protected]> > wrote: > > On Tue, Aug 19, 2025 at 07:10:54PM +0200, Bill Woodcock via NANOG wrote: > > Sure. A large American mobile operator did that with a lot of their DNS > traffic for a couple of months. :-) > > Of course you may be talking about doing it _intentionally_. I don???t > know of a reason to do it, but sure, it can be done. It???ll get dropped by > anybody running uRPF. > > I don't remember if it was at SANE 2000 or 2002, but I was talking with a > gentleman who was discussing network security with me and he described that > his employer had just patented his technique for discovering "leaks", rogue > connections, etc., in a secured network. He was being very mysterious so I > asked him how his technique was different than the classic trawling around > shooting packets with various source addresses at various targets within a > network. Which is what they thought was unique and patentable. > > So the point is that if you have an unrouted prefix, you can monitor the > authorized uplink from a network to see if traffic sprayed within the > network is seeing plausible response traffic addressed to that unrouted > prefix, but also if you happen to have a ROUTABLE prefix, you can also > detect rogue uplinks and stuff like that by seeing what does actually > arrive at the routed network. > > This is not exactly what the OP asked about, but it is in the same > ballpark and may be interesting to someone. The ICMP response answer posted > by Mr. Heitz is obviously more common as are the accidental > misconfiguration class of answers. > > ... JG > -- > Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net > "The strain of anti-intellectualism has been a constant thread winding its > way through our political and cultural life, nurtured by the false notion > that democracy means that 'my ignorance is just as good as your > knowledge.'"-Asimov > _______________________________________________ > NANOG mailing list > https://lists.nanog.org/archives/list/[email protected]/message/ > HEOW6YA7H7FS5IRR4LIPXNV4Q7FESVK6/ > > _______________________________________________ > NANOG mailing list > https://lists.nanog.org/archives/list/[email protected]/message/ > PLFI75KYZXX7AZW7JLM2YL6MYW56CSGZ/ > _______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/[email protected]/message/MHFSGEQUXX6ENXCHSTOX2646X64MKSHU/
