routing invalid IP addresses
We had an attack here last night and the attack traffic was coming from an IP address of x.x.255.x which isn't a valid IP address yet the traffic was being routed over the internet (as far as I can tell anyway). When I attempted to track down the source I found our cisco routers wouldn't accept the address as valid so it was not possible to null route or trace the traffic. Has anyone else ever seen this before? Clue me in? Geo.
Re: routing invalid IP addresses
x.x.255.x isn't a valid IP address Clue me in? Clue: it's a valid address. -Bill
Re: routing invalid IP addresses
On Sat, Feb 21, 2004 at 07:47:46AM -0500, Geo. wrote: We had an attack here last night and the attack traffic was coming from an IP address of x.x.255.x which isn't a valid IP address yet the traffic was being routed over the internet (as far as I can tell anyway). When I attempted to track down the source I found our cisco routers wouldn't accept the address as valid so it was not possible to null route or trace the traffic. *GASP* Traffic with an invalid IP address being routed over the Internet? Dear god NO! Please say it isn't so. Oh the humanity. Actually, it is a perfectly valid IP address. You just need to turn on ip subnet-zero. http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080093f18.shtml That means nothing however, as there is traffic with invalid source addresses routed over the Internet all the time. Routing has nothing to do with source IP, and everything to do with dest IP. If you want to filter it, use an acl. Has anyone else ever seen this before? Clue me in? I don't think an ordinary clue stick will do... Hrm perhaps a stick of clue dynamite is in order. -- Richard A Steenbergen [EMAIL PROTECTED] http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)
Re: routing invalid IP addresses
traceroute to 248.245.255.191, that's what made me think it was invalid. I did get the answer, I was being stupid and trying to use IP route instead of an acl. Thanks to everyone who replied, even the no guy. Geo. (I'm not the cisco guy, I was just the only one working last night) - Original Message - From: Bill Woodcock [EMAIL PROTECTED] To: Geo. [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Saturday, February 21, 2004 8:03 AM Subject: Re: routing invalid IP addresses x.x.255.x isn't a valid IP address Clue me in? Clue: it's a valid address. -Bill
Re: routing invalid IP addresses
Geo. wrote: We had an attack here last night and the attack traffic was coming from an IP address of x.x.255.x which isn't a valid IP address yet the traffic was being routed over the internet (as far as I can tell anyway). When I attempted to track down the source I found our cisco routers wouldn't accept the address as valid so it was not possible to null route or trace the traffic. Has anyone else ever seen this before? Clue me in? Invalid? Really? I used to manage a small collection of cisco routers and I don't recall any of them complaining about such an address. What color is the sky there?
Re: routing invalid IP addresses
On Sat, 21 Feb 2004, Laurence F. Sheldon, Jr. wrote: Invalid? Really? I used to manage a small collection of cisco routers and I don't recall any of them complaining about such an address. Could be related to perhaps not having ip subnet-zero? (I have no idea, but the old thingie about highest and lowest network being broadcast/network address might be applicable in this case) -- Mikael Abrahamssonemail: [EMAIL PROTECTED]
Re: routing invalid IP addresses
Mikael Abrahamsson wrote: On Sat, 21 Feb 2004, Laurence F. Sheldon, Jr. wrote: Invalid? Really? I used to manage a small collection of cisco routers and I don't recall any of them complaining about such an address. Could be related to perhaps not having ip subnet-zero? (I have no idea, but the old thingie about highest and lowest network being broadcast/network address might be applicable in this case) Could be. There are a number of things that don't work right if they are not configured correctly.
Re: routing invalid IP addresses
On Sat, 21 Feb 2004, Geo. wrote: traceroute to 248.245.255.191, that's what made me think it was invalid. It has nothing to do with the x.y.255.z -- the 240.0.0.0/4 is IANA reserved space. If you had given the whole IP in the first place you could have saved yourself some abuse. :-) You are right in the sense that it has been recommended for a while that ISP's filter invalid traffic outbound from their network, to prevent their customers from spoofing. However, given the number of incidents of hijacking recently, it's entirely possible whoever is using this actually has their own BGP feed. [westnet]:~$ whois 248.245.255.191 BW whois 3.4 by Bill Weinman (http://whois.bw.org/) Copyright 1999-2003 William E. Weinman Request: 248.245.255.191 from whois.arin.net:43 [cached Sat Feb 21 16:18:16 2004 UTC] OrgName:Internet Assigned Numbers Authority OrgID: IANA Address:4676 Admiralty Way, Suite 330 City: Marina del Rey StateProv: CA PostalCode: 90292-6695 Country:US NetRange: 240.0.0.0 - 255.255.255.255 CIDR: 240.0.0.0/4 NetName:RESERVED-240 NetHandle: NET-240-0-0-0-0 Parent: NetType:IANA Special Use Comment:Please see RFC 3330 for additional information. RegDate: Updated:2002-10-14 OrgAbuseHandle: IANA-IP-ARIN OrgAbuseName: Internet Corporation for Assigned Names and Number OrgAbusePhone: +1-310-301-5820 OrgAbuseEmail: [EMAIL PROTECTED] OrgTechHandle: IANA-IP-ARIN OrgTechName: Internet Corporation for Assigned Names and Number OrgTechPhone: +1-310-301-5820 OrgTechEmail: [EMAIL PROTECTED] # ARIN WHOIS database, last updated 2004-02-20 19:15 # Enter ? for additional hints on searching ARIN's WHOIS database. == Chris Candreva -- [EMAIL PROTECTED] -- (914) 967-7816 WestNet Internet Services of Westchester http://www.westnet.com/
RE: routing invalid IP addresses
If you had given the whole IP in the first place you could have saved yourself some abuse. :-) Now what fun would that have been? Ya gotta let these guys spit out abuse once in a while, heck it's not often they know the right answer g... Anyway, I'm currently investigating to see if it's possible the traffic was coming from another local machine. The machine's admin mentioned a few things that sounded to me like there were 2 way connections from this IP involved instead of just spoofed UDP. Geo.
Re: routing invalid IP addresses
248.x.x.x is in 'Class E' space which is invalid on the Internet... x.x.255.x are perfectly valid addresses, indeed we have 193.0.255.0/24.. subnet-zero isnt relevant either, this would be for eg a class B using a 255.255.255.0 subnet mask, since we dont bother with classful addressing and we're not talking about the local addressing policy this isnt of relevance. you have some confusion with 'ip route' and acls, these do not fulfill the same purpose.. ip route wont help yuo as that is used to control the route to the destination and that would be your legitimate host. an acl could help tho, you can safely deny 'access-l 100 den ip 240.0.0.0 15.255.255.255 any' to block anything with a similar source address. just in case you get too excited with your acls, dont go arbitrarily blocking other addresses (multicast, bogons, rfc1918 [10.x.x.x, 192.168.x.x] else u may break some stuff!) and just to clarify your problem of how these invalid addresses were 'routed' .. as above packets are routeed based on destination only, you can spoof and put junk in the source and it will still traverse the internet quite legitimately. Steve On Sat, 21 Feb 2004, Geo. wrote: traceroute to 248.245.255.191, that's what made me think it was invalid. I did get the answer, I was being stupid and trying to use IP route instead of an acl. Thanks to everyone who replied, even the no guy. Geo. (I'm not the cisco guy, I was just the only one working last night) - Original Message - From: Bill Woodcock [EMAIL PROTECTED] To: Geo. [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Saturday, February 21, 2004 8:03 AM Subject: Re: routing invalid IP addresses x.x.255.x isn't a valid IP address Clue me in? Clue: it's a valid address. -Bill
Re: routing invalid IP addresses
x.x.255.x isn't a valid IP address Clue me in? Clue: it's a valid address. -Bill Meta Clue... it -can be- a valid address. --bill
Re: routing invalid IP addresses
Anyway, I'm currently investigating to see if it's possible the traffic was coming from another local machine. The machine's admin mentioned a few things that sounded to me like there were 2 way connections from this IP involved instead of just spoofed UDP. Anybody hook up a new Macintosh lately? OS X seems to spew traffic in that range. It appears to be some optional component as they don't all do it, about half of ours do it. I haven't cared enough to track down what exactly is doing it. __ This message was scanned by GatewayDefender 9:19:20 PM ET - 2/21/2004
Re: routing invalid IP addresses
Anybody hook up a new Macintosh lately? OS X seems to spew traffic in that range. It appears to be some optional component as they don't all do it, about half of ours do it. I haven't cared enough to track down what exactly is doing it. Not on this segment, only two linux boxes directly on the wire and two NT boxes behind a Pix 506e. Whatever was going on has stopped now so I'm just going from log fragments the admins are emailing me. It looks like someone was trying to exploit apache/php on one of the linux boxes using spoofed udp from that IP address I posted. Geo.
