Re: 198.32.64.12 -- Harmless mis-route or potential exploit?
well, actually this was the IP address used for l.root-servers.net from 1998-2008. so i guess you could say its never been used for anything. we are not currently routing that prefix and there should currently be nothing at that IP address. --bill On Tue, Sep 02, 2008 at 06:24:21PM -0400, Dan Mahoney, System Admin wrote: Hello all, While recently trying to debug a CEF issue, I found a good number of packets in my debug cef drops output that were all directed at 198.32.64.12 (which I see as being allocated to ep.net but completely unused). Sep 2 22:03:25: CEF-Drop: Packet for 198.32.64.12 -- no route Sep 2 22:03:25: CEF-Drop: Packet for 198.32.64.12 -- no route Sep 2 22:03:25: CEF-Drop: Packet for 198.32.64.12 -- no route Sep 2 22:03:25: CEF-Drop: Packet for 198.32.64.12 -- no route Sep 2 22:03:25: CEF-Drop: Packet for 198.32.64.12 -- no route Sep 2 22:03:25: CEF-Drop: Packet for 198.32.64.12 -- no route Sep 2 22:03:25: CEF-Drop: Packet for 198.32.64.12 -- no route Sep 2 22:03:25: CEF-Drop: Packet for 198.32.64.12 -- no route Now, as nearly as I can tell, this IP address has never been used for anything, but I see occasional references to it, such as here: http://www.honeynet.org/papers/forensics/exploit.html So the question is, should I just ignore this as a properly dropped packet due to no route (this provider is running defaultless, so unless such a route exists, it should be okay). On the other hand, one of the other packets I'm seeing specifically refers to a DNS exploit, so should I then dispatch to people to trace down the source origin ? (Suffice it to say the resources are there to find it fairly easily, even if the source address is forged). -Dan -- Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org ---
Re: 198.32.64.12 -- Harmless mis-route or potential exploit?
On Wed, Sep 03, 2008 at 10:00:41AM -0400, Christopher Morrow wrote: On Wed, Sep 3, 2008 at 8:48 AM, [EMAIL PROTECTED] wrote: On Tue, Sep 02, 2008 at 10:08:10PM -0400, Christopher Morrow wrote: On 9/2/08, Todd Underwood [EMAIL PROTECTED] wrote: checking our current data, that block is not currently routed by any of our peers over the last month (i would assume ripe ris and routeviews report similar data, but i did not check them. it's also probably worth stating that parts of 198.32/16 are never routed anywhere on the Internet (here comes bill to tell me 'who's Internet?' .). Some is in use on private networks, some is in use at exchange points and not routed outside the immediate peers. grump... ok... who's internet? there he is!!! :) (thanks for restoring my faith in... humanity) WHO'S THAT TRIP-TRAPPING ACROSS MY BRIDGE? (random thought of the day ... is there a real requirement to do routing at the level of granularity we seem to have fallen into? is there any reason to not do more bridging, creating larger broadcast domains? Such constructs are certainly more ammenable to device mobility, esp in the absence of workable mobil IP and the derth of EID/LOC splits... and there would be less route churn lots of good reasons) Most times, as I recall, epnet does a decent job of keeping the whois data or rdns data updated though, for things in use. (though possibly not for private uses) rdns moreso that whois... 198.32.64.12 == AS-20144-has-not-REGISTERED-the-use-of-this-prefix. for instance? well that has been there for some time - we need not remove the clay-cap off that nuclear waste dump - let sleeping dogs lie. -chris --bill
Re: 198.32.64.12 -- Harmless mis-route or potential exploit?
My profile and resume: http://www.linkedin.com/in/gadievron On Tue, 2 Sep 2008, Dan Mahoney, System Admin wrote: Hello all, While recently trying to debug a CEF issue, I found a good number of packets in my debug cef drops output that were all directed at 198.32.64.12 (which I see as being allocated to ep.net but completely unused). Sep 2 22:03:25: CEF-Drop: Packet for 198.32.64.12 -- no route Sep 2 22:03:25: CEF-Drop: Packet for 198.32.64.12 -- no route Sep 2 22:03:25: CEF-Drop: Packet for 198.32.64.12 -- no route Sep 2 22:03:25: CEF-Drop: Packet for 198.32.64.12 -- no route Sep 2 22:03:25: CEF-Drop: Packet for 198.32.64.12 -- no route Sep 2 22:03:25: CEF-Drop: Packet for 198.32.64.12 -- no route Sep 2 22:03:25: CEF-Drop: Packet for 198.32.64.12 -- no route Sep 2 22:03:25: CEF-Drop: Packet for 198.32.64.12 -- no route Now, as nearly as I can tell, this IP address has never been used for anything, but I see occasional references to it, such as here: http://www.honeynet.org/papers/forensics/exploit.html So the question is, should I just ignore this as a properly dropped packet due to no route (this provider is running defaultless, so unless such a route exists, it should be okay). On the other hand, one of the other packets I'm seeing specifically refers to a DNS exploit, so should I then dispatch to people to trace down the source origin ? (Suffice it to say the resources are there to find it fairly easily, even if the source address is forged). It should be treated as an intelligence source, sharing that one openly is probably counter-productive. Regardless, very interesting. I think follow-up just for interest's sake may be worth it. -Dan -- Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org ---
Re: 198.32.64.12 -- Harmless mis-route or potential exploit?
On Sep 2, 2008, at 3:24 PM, Dan Mahoney, System Admin wrote: Hello all, While recently trying to debug a CEF issue, I found a good number of packets in my debug cef drops output that were all directed at 198.32.64.12 (which I see as being allocated to ep.net but completely unused). Sep 2 22:03:25: CEF-Drop: Packet for 198.32.64.12 -- no route Sep 2 22:03:25: CEF-Drop: Packet for 198.32.64.12 -- no route Sep 2 22:03:25: CEF-Drop: Packet for 198.32.64.12 -- no route Sep 2 22:03:25: CEF-Drop: Packet for 198.32.64.12 -- no route Sep 2 22:03:25: CEF-Drop: Packet for 198.32.64.12 -- no route Sep 2 22:03:25: CEF-Drop: Packet for 198.32.64.12 -- no route Sep 2 22:03:25: CEF-Drop: Packet for 198.32.64.12 -- no route Sep 2 22:03:25: CEF-Drop: Packet for 198.32.64.12 -- no route Now, as nearly as I can tell, this IP address has never been used for anything, but I see occasional references to it, such as here: Once upon a time, that used to be the IP address for the L Root server. Steve - Steve Conte [EMAIL PROTECTED]
Re: 198.32.64.12 -- Harmless mis-route or potential exploit?
Gadi, Could you please take the self-promotion offline already? Enough is enough! I don't think anybody on this list is interested in hiring you or reviewing your resume! (It could be argued that my post is off-topic as well. I disagree. Furthermore, it had to be done, given the lack of public face or consistent enforcement action of the current MLC.) Drive Slow, Paul Wall http://www.linkedin.com/in/paulwall On Tue, Sep 2, 2008 at 6:28 PM, Gadi Evron [EMAIL PROTECTED] wrote: My profile and resume: http://www.linkedin.com/in/gadievron On Tue, 2 Sep 2008, Dan Mahoney, System Admin wrote: Hello all, While recently trying to debug a CEF issue, I found a good number of packets in my debug cef drops output that were all directed at 198.32.64.12 (which I see as being allocated to ep.net but completely unused). Sep 2 22:03:25: CEF-Drop: Packet for 198.32.64.12 -- no route Sep 2 22:03:25: CEF-Drop: Packet for 198.32.64.12 -- no route Sep 2 22:03:25: CEF-Drop: Packet for 198.32.64.12 -- no route Sep 2 22:03:25: CEF-Drop: Packet for 198.32.64.12 -- no route Sep 2 22:03:25: CEF-Drop: Packet for 198.32.64.12 -- no route Sep 2 22:03:25: CEF-Drop: Packet for 198.32.64.12 -- no route Sep 2 22:03:25: CEF-Drop: Packet for 198.32.64.12 -- no route Sep 2 22:03:25: CEF-Drop: Packet for 198.32.64.12 -- no route Now, as nearly as I can tell, this IP address has never been used for anything, but I see occasional references to it, such as here: http://www.honeynet.org/papers/forensics/exploit.html So the question is, should I just ignore this as a properly dropped packet due to no route (this provider is running defaultless, so unless such a route exists, it should be okay). On the other hand, one of the other packets I'm seeing specifically refers to a DNS exploit, so should I then dispatch to people to trace down the source origin ? (Suffice it to say the resources are there to find it fairly easily, even if the source address is forged). It should be treated as an intelligence source, sharing that one openly is probably counter-productive. Regardless, very interesting. I think follow-up just for interest's sake may be worth it. -Dan -- Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org ---
Re: 198.32.64.12 -- Harmless mis-route or potential exploit?
On Sep 2, 2008, at 3:24 PM, Dan Mahoney, System Admin wrote: While recently trying to debug a CEF issue, I found a good number of packets in my debug cef drops output that were all directed at 198.32.64.12 (which I see as being allocated to ep.net but completely unused). As Steve Conte pointed out, that is the address that used to be used for l.root-servers.net. l.root-servers.net was renumbered almost a year ago, with the announcement of the old address turned off about 6 months ago. So the question is, should I just ignore this as a properly dropped packet due to no route (this provider is running defaultless, so unless such a route exists, it should be okay). Packets being sent to 198.32.64.12 most likely come from DNS caching servers that haven't had their hints updated. In the ideal world, you could hunt down those machines and kick 'em in the head (that is, install a new hints file). That they're unrouted is definitely the way things should be. Regards, -drc
Re: 198.32.64.12 -- Harmless mis-route or potential exploit?
dan, (to follow up on david conrad's response)... On Tue, Sep 02, 2008 at 04:31:40PM -0700, David Conrad wrote: On Sep 2, 2008, at 3:24 PM, Dan Mahoney, System Admin wrote: While recently trying to debug a CEF issue, I found a good number of packets in my debug cef drops output that were all directed at 198.32.64.12 (which I see as being allocated to ep.net but completely unused). As Steve Conte pointed out, that is the address that used to be used for l.root-servers.net. l.root-servers.net was renumbered almost a year ago, with the announcement of the old address turned off about 6 months ago. there's some context on recent routing issues with this network described at the renesys blog here: http://www.renesys.com/blog/2008/06/securing_the_root_1.shtml in short: the prefix containing this network was advertised by people other than iana for a time after iana stopped advertising it. checking our current data, that block is not currently routed by any of our peers over the last month (i would assume ripe ris and routeviews report similar data, but i did not check them. t. -- _ todd underwood +1 603 643 9300 x101 renesys corporationgeneral manager babbledog [EMAIL PROTECTED] http://www.renesys.com/blog
Re: 198.32.64.12 -- Harmless mis-route or potential exploit?
On Tue, Sep 2, 2008 at 3:28 PM, Gadi Evron [EMAIL PROTECTED] wrote: My profile and resume: http://www.linkedin.com/in/gadievron are you for real?
Re: 198.32.64.12 -- Harmless mis-route or potential exploit?
On Tue, Sep 2, 2008 at 9:32 PM, Aaron Glenn [EMAIL PROTECTED] wrote: On Tue, Sep 2, 2008 at 3:28 PM, Gadi Evron [EMAIL PROTECTED] wrote: My profile and resume: http://www.linkedin.com/in/gadievron are you for real? No, he is not.
Re: 198.32.64.12 -- Harmless mis-route or potential exploit?
On 9/2/08, Todd Underwood [EMAIL PROTECTED] wrote: checking our current data, that block is not currently routed by any of our peers over the last month (i would assume ripe ris and routeviews report similar data, but i did not check them. it's also probably worth stating that parts of 198.32/16 are never routed anywhere on the Internet (here comes bill to tell me 'who's Internet?' .). Some is in use on private networks, some is in use at exchange points and not routed outside the immediate peers. Most times, as I recall, epnet does a decent job of keeping the whois data or rdns data updated though, for things in use. (though possibly not for private uses) -chris