Re: 198.32.64.12 -- Harmless mis-route or potential exploit?
well, actually this was the IP address used for l.root-servers.net from 1998-2008. so i guess you could say its never been used for anything. we are not currently routing that prefix and there should currently be nothing at that IP address. --bill On Tue, Sep 02, 2008 at 06:24:21PM -0400, Dan Mahoney, System Admin wrote: Hello all, While recently trying to debug a CEF issue, I found a good number of packets in my debug cef drops output that were all directed at 198.32.64.12 (which I see as being allocated to ep.net but completely unused). Sep 2 22:03:25: CEF-Drop: Packet for 198.32.64.12 -- no route Sep 2 22:03:25: CEF-Drop: Packet for 198.32.64.12 -- no route Sep 2 22:03:25: CEF-Drop: Packet for 198.32.64.12 -- no route Sep 2 22:03:25: CEF-Drop: Packet for 198.32.64.12 -- no route Sep 2 22:03:25: CEF-Drop: Packet for 198.32.64.12 -- no route Sep 2 22:03:25: CEF-Drop: Packet for 198.32.64.12 -- no route Sep 2 22:03:25: CEF-Drop: Packet for 198.32.64.12 -- no route Sep 2 22:03:25: CEF-Drop: Packet for 198.32.64.12 -- no route Now, as nearly as I can tell, this IP address has never been used for anything, but I see occasional references to it, such as here: http://www.honeynet.org/papers/forensics/exploit.html So the question is, should I just ignore this as a properly dropped packet due to no route (this provider is running defaultless, so unless such a route exists, it should be okay). On the other hand, one of the other packets I'm seeing specifically refers to a DNS exploit, so should I then dispatch to people to trace down the source origin ? (Suffice it to say the resources are there to find it fairly easily, even if the source address is forged). -Dan -- Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org ---
Re: 198.32.64.12 -- Harmless mis-route or potential exploit?
On Wed, Sep 03, 2008 at 10:00:41AM -0400, Christopher Morrow wrote: On Wed, Sep 3, 2008 at 8:48 AM, [EMAIL PROTECTED] wrote: On Tue, Sep 02, 2008 at 10:08:10PM -0400, Christopher Morrow wrote: On 9/2/08, Todd Underwood [EMAIL PROTECTED] wrote: checking our current data, that block is not currently routed by any of our peers over the last month (i would assume ripe ris and routeviews report similar data, but i did not check them. it's also probably worth stating that parts of 198.32/16 are never routed anywhere on the Internet (here comes bill to tell me 'who's Internet?' .). Some is in use on private networks, some is in use at exchange points and not routed outside the immediate peers. grump... ok... who's internet? there he is!!! :) (thanks for restoring my faith in... humanity) WHO'S THAT TRIP-TRAPPING ACROSS MY BRIDGE? (random thought of the day ... is there a real requirement to do routing at the level of granularity we seem to have fallen into? is there any reason to not do more bridging, creating larger broadcast domains? Such constructs are certainly more ammenable to device mobility, esp in the absence of workable mobil IP and the derth of EID/LOC splits... and there would be less route churn lots of good reasons) Most times, as I recall, epnet does a decent job of keeping the whois data or rdns data updated though, for things in use. (though possibly not for private uses) rdns moreso that whois... 198.32.64.12 == AS-20144-has-not-REGISTERED-the-use-of-this-prefix. for instance? well that has been there for some time - we need not remove the clay-cap off that nuclear waste dump - let sleeping dogs lie. -chris --bill
198.32.64.12 -- Harmless mis-route or potential exploit?
Hello all, While recently trying to debug a CEF issue, I found a good number of packets in my debug cef drops output that were all directed at 198.32.64.12 (which I see as being allocated to ep.net but completely unused). Sep 2 22:03:25: CEF-Drop: Packet for 198.32.64.12 -- no route Sep 2 22:03:25: CEF-Drop: Packet for 198.32.64.12 -- no route Sep 2 22:03:25: CEF-Drop: Packet for 198.32.64.12 -- no route Sep 2 22:03:25: CEF-Drop: Packet for 198.32.64.12 -- no route Sep 2 22:03:25: CEF-Drop: Packet for 198.32.64.12 -- no route Sep 2 22:03:25: CEF-Drop: Packet for 198.32.64.12 -- no route Sep 2 22:03:25: CEF-Drop: Packet for 198.32.64.12 -- no route Sep 2 22:03:25: CEF-Drop: Packet for 198.32.64.12 -- no route Now, as nearly as I can tell, this IP address has never been used for anything, but I see occasional references to it, such as here: http://www.honeynet.org/papers/forensics/exploit.html So the question is, should I just ignore this as a properly dropped packet due to no route (this provider is running defaultless, so unless such a route exists, it should be okay). On the other hand, one of the other packets I'm seeing specifically refers to a DNS exploit, so should I then dispatch to people to trace down the source origin ? (Suffice it to say the resources are there to find it fairly easily, even if the source address is forged). -Dan -- Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org ---
Re: 198.32.64.12 -- Harmless mis-route or potential exploit?
My profile and resume: http://www.linkedin.com/in/gadievron On Tue, 2 Sep 2008, Dan Mahoney, System Admin wrote: Hello all, While recently trying to debug a CEF issue, I found a good number of packets in my debug cef drops output that were all directed at 198.32.64.12 (which I see as being allocated to ep.net but completely unused). Sep 2 22:03:25: CEF-Drop: Packet for 198.32.64.12 -- no route Sep 2 22:03:25: CEF-Drop: Packet for 198.32.64.12 -- no route Sep 2 22:03:25: CEF-Drop: Packet for 198.32.64.12 -- no route Sep 2 22:03:25: CEF-Drop: Packet for 198.32.64.12 -- no route Sep 2 22:03:25: CEF-Drop: Packet for 198.32.64.12 -- no route Sep 2 22:03:25: CEF-Drop: Packet for 198.32.64.12 -- no route Sep 2 22:03:25: CEF-Drop: Packet for 198.32.64.12 -- no route Sep 2 22:03:25: CEF-Drop: Packet for 198.32.64.12 -- no route Now, as nearly as I can tell, this IP address has never been used for anything, but I see occasional references to it, such as here: http://www.honeynet.org/papers/forensics/exploit.html So the question is, should I just ignore this as a properly dropped packet due to no route (this provider is running defaultless, so unless such a route exists, it should be okay). On the other hand, one of the other packets I'm seeing specifically refers to a DNS exploit, so should I then dispatch to people to trace down the source origin ? (Suffice it to say the resources are there to find it fairly easily, even if the source address is forged). It should be treated as an intelligence source, sharing that one openly is probably counter-productive. Regardless, very interesting. I think follow-up just for interest's sake may be worth it. -Dan -- Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org ---
Re: 198.32.64.12 -- Harmless mis-route or potential exploit?
On Sep 2, 2008, at 3:24 PM, Dan Mahoney, System Admin wrote: Hello all, While recently trying to debug a CEF issue, I found a good number of packets in my debug cef drops output that were all directed at 198.32.64.12 (which I see as being allocated to ep.net but completely unused). Sep 2 22:03:25: CEF-Drop: Packet for 198.32.64.12 -- no route Sep 2 22:03:25: CEF-Drop: Packet for 198.32.64.12 -- no route Sep 2 22:03:25: CEF-Drop: Packet for 198.32.64.12 -- no route Sep 2 22:03:25: CEF-Drop: Packet for 198.32.64.12 -- no route Sep 2 22:03:25: CEF-Drop: Packet for 198.32.64.12 -- no route Sep 2 22:03:25: CEF-Drop: Packet for 198.32.64.12 -- no route Sep 2 22:03:25: CEF-Drop: Packet for 198.32.64.12 -- no route Sep 2 22:03:25: CEF-Drop: Packet for 198.32.64.12 -- no route Now, as nearly as I can tell, this IP address has never been used for anything, but I see occasional references to it, such as here: Once upon a time, that used to be the IP address for the L Root server. Steve - Steve Conte [EMAIL PROTECTED]
Re: 198.32.64.12 -- Harmless mis-route or potential exploit?
Gadi, Could you please take the self-promotion offline already? Enough is enough! I don't think anybody on this list is interested in hiring you or reviewing your resume! (It could be argued that my post is off-topic as well. I disagree. Furthermore, it had to be done, given the lack of public face or consistent enforcement action of the current MLC.) Drive Slow, Paul Wall http://www.linkedin.com/in/paulwall On Tue, Sep 2, 2008 at 6:28 PM, Gadi Evron [EMAIL PROTECTED] wrote: My profile and resume: http://www.linkedin.com/in/gadievron On Tue, 2 Sep 2008, Dan Mahoney, System Admin wrote: Hello all, While recently trying to debug a CEF issue, I found a good number of packets in my debug cef drops output that were all directed at 198.32.64.12 (which I see as being allocated to ep.net but completely unused). Sep 2 22:03:25: CEF-Drop: Packet for 198.32.64.12 -- no route Sep 2 22:03:25: CEF-Drop: Packet for 198.32.64.12 -- no route Sep 2 22:03:25: CEF-Drop: Packet for 198.32.64.12 -- no route Sep 2 22:03:25: CEF-Drop: Packet for 198.32.64.12 -- no route Sep 2 22:03:25: CEF-Drop: Packet for 198.32.64.12 -- no route Sep 2 22:03:25: CEF-Drop: Packet for 198.32.64.12 -- no route Sep 2 22:03:25: CEF-Drop: Packet for 198.32.64.12 -- no route Sep 2 22:03:25: CEF-Drop: Packet for 198.32.64.12 -- no route Now, as nearly as I can tell, this IP address has never been used for anything, but I see occasional references to it, such as here: http://www.honeynet.org/papers/forensics/exploit.html So the question is, should I just ignore this as a properly dropped packet due to no route (this provider is running defaultless, so unless such a route exists, it should be okay). On the other hand, one of the other packets I'm seeing specifically refers to a DNS exploit, so should I then dispatch to people to trace down the source origin ? (Suffice it to say the resources are there to find it fairly easily, even if the source address is forged). It should be treated as an intelligence source, sharing that one openly is probably counter-productive. Regardless, very interesting. I think follow-up just for interest's sake may be worth it. -Dan -- Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org ---
Re: 198.32.64.12 -- Harmless mis-route or potential exploit?
On Sep 2, 2008, at 3:24 PM, Dan Mahoney, System Admin wrote: While recently trying to debug a CEF issue, I found a good number of packets in my debug cef drops output that were all directed at 198.32.64.12 (which I see as being allocated to ep.net but completely unused). As Steve Conte pointed out, that is the address that used to be used for l.root-servers.net. l.root-servers.net was renumbered almost a year ago, with the announcement of the old address turned off about 6 months ago. So the question is, should I just ignore this as a properly dropped packet due to no route (this provider is running defaultless, so unless such a route exists, it should be okay). Packets being sent to 198.32.64.12 most likely come from DNS caching servers that haven't had their hints updated. In the ideal world, you could hunt down those machines and kick 'em in the head (that is, install a new hints file). That they're unrouted is definitely the way things should be. Regards, -drc
Re: 198.32.64.12 -- Harmless mis-route or potential exploit?
dan, (to follow up on david conrad's response)... On Tue, Sep 02, 2008 at 04:31:40PM -0700, David Conrad wrote: On Sep 2, 2008, at 3:24 PM, Dan Mahoney, System Admin wrote: While recently trying to debug a CEF issue, I found a good number of packets in my debug cef drops output that were all directed at 198.32.64.12 (which I see as being allocated to ep.net but completely unused). As Steve Conte pointed out, that is the address that used to be used for l.root-servers.net. l.root-servers.net was renumbered almost a year ago, with the announcement of the old address turned off about 6 months ago. there's some context on recent routing issues with this network described at the renesys blog here: http://www.renesys.com/blog/2008/06/securing_the_root_1.shtml in short: the prefix containing this network was advertised by people other than iana for a time after iana stopped advertising it. checking our current data, that block is not currently routed by any of our peers over the last month (i would assume ripe ris and routeviews report similar data, but i did not check them. t. -- _ todd underwood +1 603 643 9300 x101 renesys corporationgeneral manager babbledog [EMAIL PROTECTED] http://www.renesys.com/blog
Re: 198.32.64.12 -- Harmless mis-route or potential exploit?
On Tue, Sep 2, 2008 at 3:28 PM, Gadi Evron [EMAIL PROTECTED] wrote: My profile and resume: http://www.linkedin.com/in/gadievron are you for real?
Re: 198.32.64.12 -- Harmless mis-route or potential exploit?
On Tue, Sep 2, 2008 at 9:32 PM, Aaron Glenn [EMAIL PROTECTED] wrote: On Tue, Sep 2, 2008 at 3:28 PM, Gadi Evron [EMAIL PROTECTED] wrote: My profile and resume: http://www.linkedin.com/in/gadievron are you for real? No, he is not.
Re: self-promotion [was: 198.32.64.12 -- Harmless mis-route or potential exploit?]
On Tue, 2 Sep 2008 21:40:38 -0400 Patrick W. Gilmore [EMAIL PROTECTED] wrote: [SNIP] Just so that I am clear on your issue here: You believe it is okay for you to put your linkedin URL in your .sig, but Gadi must not be allowed to put it at the top of a post? Yes, I think that's exactly right. It's a statement of what the sender perceives to be important about the email. I read email for the content; having the URL at the top is an assertion by the poster that he thinks his resume is more important than what he says. (Yes, I know some of you are about to hit reply to say maybe it is from Gadi. Don't bother -- what he says is often quite valuable.) --Steve Bellovin, http://www.cs.columbia.edu/~smb
Re: 198.32.64.12 -- Harmless mis-route or potential exploit?
On 9/2/08, Todd Underwood [EMAIL PROTECTED] wrote: checking our current data, that block is not currently routed by any of our peers over the last month (i would assume ripe ris and routeviews report similar data, but i did not check them. it's also probably worth stating that parts of 198.32/16 are never routed anywhere on the Internet (here comes bill to tell me 'who's Internet?' .). Some is in use on private networks, some is in use at exchange points and not routed outside the immediate peers. Most times, as I recall, epnet does a decent job of keeping the whois data or rdns data updated though, for things in use. (though possibly not for private uses) -chris
Re: self-promotion [was: 198.32.64.12 -- Harmless mis-route or potential exploit?]
On Tue, 2 Sep 2008, Steven M. Bellovin wrote: On Tue, 2 Sep 2008 21:40:38 -0400 Patrick W. Gilmore [EMAIL PROTECTED] wrote: [SNIP] Just so that I am clear on your issue here: You believe it is okay for you to put your linkedin URL in your .sig, but Gadi must not be allowed to put it at the top of a post? Yes, I think that's exactly right. It's a statement of what the sender perceives to be important about the email. I read email for the I agree, which is why this fluke in not deleting the last line with ctrk+k as PINE appends signature lines at the top of the post by default--was awkward. Good thing I don't much get deterred by awkward. Still, I bet this is going to be a huge thread yet again. No one appends any URL at the footer--not even me! ;) But folks with no content to contribute would naturally jump at it like they would at even just a typo. I suppose it is only natural when you become a celebrity of any sort--you draw all sorts of attention. At first my thick skin helped, nowadays I just find it amusing. Folks flooded mailing lists spoofing my name (creating ASCII art of Beavis or a swastika) using the subject lines. They flooded yet again, with furry porn pictures attached. They launched fan blogs, created an Encyclopedia Dramatica entry... I've had a comic strip made about me, a song written about me, a fake craigslist entry... all of course, serving as a boost to my ego--knowing now I must have made it! ;-) There was a blackhat presentation which in part was about how someone faked a social network account being me, and how he almost got an informationweek interview as me out of it--I was on to him. Most recently, someone created a comic-strip in ASCII about me (very funny, but R rated, so don't go if you find that type of thing offensive). It's from the now I know I've made it! department: http://fr.pastebin.ca/raw/1094119 To wrap this up, I don't often (at all) use signature lines, but I do have them and out of habit delete them with almost every new posting from the footer. I had two VERY self-depricating (and very funny) quotes, before, which also were not often used, anyone remember? 1. beepbeep it, i leave work, stop reading sec lists and im still hearing gadi - HD Moore to Gadi Evron on IM, on Gadi's interview on npr, March 2007. 2. *FART* -- Avi Freedman to Gadi Evron in a Chinese restaurant, Boston 2007. To even things out, my new barely ever used footer signature, is: - You don't need your firewalls! Gadi is Israel's firewall. -- Itzik (Isaac) Cohen, Computers czar, Senior Deputy to the Accountant General, Israel's Ministry of Finance, at the government's CIO conference, 2005. (after two very funny self-deprication quotes, time to even things up!) My profile and resume: http://www.linkedin.com/in/gadievron -- So, I missed one line and it stuck at the footer and no one noticed it except the trolls. Now that the awkward moment is over and I made the unnecessary yet required explanation... can we move on? I really should use the man page and see how I move the signature from the footer in PINE. Thanks for the free advertisement of my resume, trolls! Appreciated. Gadi. content; having the URL at the top is an assertion by the poster that he thinks his resume is more important than what he says. (Yes, I know some of you are about to hit reply to say maybe it is from Gadi. Don't bother -- what he says is often quite valuable.) --Steve Bellovin, http://www.cs.columbia.edu/~smb
