Read RFC1918. Likely a machine on his local network (i.e. behind the same NAT box) is hitting him.
But that is not guaranteed. A packet with a source address of 172.0.x.x could be hitting his machine. Depends on how well you filter. Many networks only look at destination IP address, source can be anything - spoofed, un-NAT'ed, etc. He just wouldn't be able to send anything back to it (unless it was on the local LAN, as I mention above). -- TTFN, patrick On Jan 15, 2012, at 2:53 AM, Alex Ryu wrote: > As far as I know, 172.0.1.216 is not assigned, yet. > > whois -h whois.arin.net 172.0.1.216 > [whois.arin.net] > # > # Query terms are ambiguous. The query is assumed to be: > # "n 172.0.1.216" > # > # Use "?" to get help. > # > > No match found for 172.0.1.216. > > > > # > # ARIN WHOIS data and services are subject to the Terms of Use > # available at: https://www.arin.net/whois_tou.html > # > > Also, when you check BGP routing table, it is not routed at all. > > route-server.as3257.net>sh ip bgp 172.0.1.216 > % Network not in table > route-server.as3257.net> > > So it seems like forged IP address. > > Alex > > > On Sun, Jan 15, 2012 at 1:37 AM, Ted Fischer <t...@fred.net> wrote: >> Hi all, >> >> Tearing what's left of my hair out. >> >> A customer is getting scanned by a host claiming to be "172.0.1.216". >> >> I know this is bogus, but I want to go back to the customer with as >> much authoritative umph as I can (heaven forbid they just take my >> word). >> >> I'm pretty sure I read somewhere once that 172/12 was "reserved" or >> something like that. All I can find now is that 172/8 is "administered by >> ARIN". Lots of information on 172.16/12, but not a peep about >> 172/12. >> >> If anybody could provide some insight as to the >> allocation/non-allocation of this block, it would be much appreciated. >> >> Thanks. >> >> Ted Fischer >> >> >> >> >> >> >> >