-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Those are spoofed addresses. They could be coming from anyplace. The
idea that the numbers are 'not-routable' is common, but not quite
accurate. The RFC 1918 packets are as routable as any other packet,
otherwise how would a subnetted LAN operate? There are many a routed
network configured with routers that route these packets blissfully
unaware of any arbitrary numbers chosen by the writers of an RFC.
Routers that form the backbone of the Internet do not do anything
special other than bigger and faster than your normal Cisco 2500 as
far as routing packets goes. Really the only packets that are not
routable under default conditions are packets with multicast
(including broadcast) destination IP addresses.
Why most people think they are unroutable is because most ISP's
create null interfaces based upon these address ranges. Since RFC
1918 clearly states that many networks can be using these addresses,
the addresses are now ambiguous and cannot be relied upon to make
routing decisions in a global environment. To accomplish this the ISP
may have lines in the router such as:
ip route 10.0.0.0 255.0.0.0 null0
ip route 172.31.0.0 255.240.0.0 null0
ip route 192.168.0.0 255.255.0.0 null0
Which essentially says: "When I receive a packet with a destination
address of 10.10.71.237 send it to the null interface (trash)." This
is faster and more efficient for a router to do than match an
access-list. Ideally, at the edge of the ISP network these filters
should dump illegal packets before they waste bandwidth in the core.
When your routing close to 10 Gbps you don't want to slow the router
down with regular access-lists.
The problem is that routers only make these decisions based upon the
destination. The source can be anything. Your logs are recording
these bogus sources. Now there are ways to overcome this in the ISP,
but that is not the focus of your question.
Now assuming that your ISP is not going to take one of these steps I
didn't describe :), you can drop these packets at the edge of your
network. In the Cisco IOS do something like this:
ip access-list standard NO-SPOOF
deny 10.0.0.0 0.255.255.255
deny 172.31.0.0 0.15.255.255
deny 192.168.0.0 0.0.255.255
permit any
interface s0
ip access-group NO-SPOOF in
wri mem
Best case is configure this with any ACL's/filters/firewalls you
already have coming in. It won't keep the junk from filling your pipe
to your router, but it will keep the packets from getting to the
server. If someone is really targeting you, they will eventually
realize that their spoofed addresses are not working anymore. Once
and if they move to real source IP addresses you can start tracking
them down.
You could also discuss with your ISP why packets with these sources
are making it to you in the first place. They should have a clue how
to filter them while still maintaining good performance on their
backbone. There are other things you can do as well, but this is a
start.
Hope this helps,
Cliff Riggs
- -----Original Message-----
From: Laurie E. McQuillan [mailto:[EMAIL PROTECTED]]
Sent: Friday, October 26, 2001 6:05 PM
To: scott [gts]; security-basics
Subject: RE: help - can someone explain this to me?
RFC 1918 restricts these address ranges to internal,
privately-assigned IP
subnets:
10.0.0.0 - 10.255.255.255
172.16.0.0 - 172.31.255.255
192.168.0.0 - 192.168.255.255
So 127.* and 198.* may or may not be internal, but the 10.* addresses
definitely are.
LMcQ
Laurie McQuillan, CISSP
Program Manager, Network Designs - FAA AVR Information Security
Office: 202-493-4415 Cell: 703-980-2428 eFax: 703-832-0785
eMail: [EMAIL PROTECTED] or [EMAIL PROTECTED]
"You will only be remembered for two things:
the problems you solve, or the ones you create."
- -----Original Message-----
From: scott [gts] [mailto:[EMAIL PROTECTED]]
Sent: Friday, October 26, 2001 3:26 PM
To: security-basics
Subject: RE: help - can someone explain this to me?
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
im pretty sure that 10.*, 127.* and 198.* are not routable
on the internet (which is why so many LANs use them), so it
looks like whatever happened to your machine is coming
from inside the LAN where your machine is hosted.
perhaps a machine that the ISP hosts is infected with something
and throwing out packets to everything on the LAN...?
(maybe it's another damn IIS worm, since it appears
that your ISP hosts mostly NT/IIS machines)
but dont take my word, that's just a speculation, i'm
not a networking specialist or anything.
> -----Original Message-----
> From: Steven M Bloomfield [mailto:[EMAIL PROTECTED]]
> Subject: help - can someone explain this to me?
>
> Hi,
> I'm webmaster of a large-ish website and yesterday the server
> went
down.
> It is a Redhat 6.1 Linux server. All my ISP would do was press the
'reset'
> button - very kind of them (they are NT specialists).
> Inspecting my log files I found thousands of denied packets, all
> seem to
be
> within a period of 6 hours.
> My question is, could such an attack disable my machine and crash
> it? Can anyone identify what sort of attack it was?
>
> Here's a summary below:
>
> Denied packets from modem-392.awesome.dialup.pol.co.uk
> (62.25.129.136).
> Port https (tcp,eth0,input): 5 packet(s).
> Total of 5 packet(s).
>
> Denied packets from 10.10.71.237.
> Port netbios-dgm (udp,eth1,input): 69 packet(s).
> Port netbios-ns (udp,eth1,input): 333 packet(s).
> Total of 402 packet(s).
>
> Denied packets from 10.10.0.4.
> Port netbios-dgm (udp,eth1,input): 496 packet(s).
> Port netbios-ns (udp,eth1,input): 2925 packet(s).
> Total of 3421 packet(s).
>
> Denied packets from userSg017.videon.wave.ca (204.112.48.37).
> Port 500 (udp,eth0,input): 6 packet(s).
> Total of 6 packet(s).
>
> Denied packets from 207.190.199.102.
> Port https (tcp,eth0,input): 11 packet(s).
> Total of 11 packet(s).
>
> Denied packets from 10.10.32.21.
> Port netbios-dgm (udp,eth1,input): 338 packet(s).
> Port netbios-ns (udp,eth1,input): 1742 packet(s).
> Total of 2080 packet(s).
>
> Denied packets from 172.17.0.18.
> Port 1434 (udp,eth1,input): 2 packet(s).
> Total of 2 packet(s).
>
> Denied packets from 10.10.1.37.
> Port netbios-dgm (udp,eth1,input): 496 packet(s).
> Port netbios-ns (udp,eth1,input): 2925 packet(s).
> Total of 3421 packet(s).
>
> Denied packets from 10.10.32.27.
> Port netbios-dgm (udp,eth1,input): 59 packet(s).
> Port netbios-ns (udp,eth1,input): 324 packet(s).
> Total of 383 packet(s).
>
> Denied packets from 10.10.32.28.
> Port netbios-dgm (udp,eth1,input): 107 packet(s).
> Port netbios-ns (udp,eth1,input): 513 packet(s).
> Total of 620 packet(s).
>
> Denied packets from 10.10.0.1.
> Port 0 (tcp,eth1,input): 3 packet(s).
> Total of 3 packet(s).
>
> Denied packets from 10.10.0.3.
> Port bootpc (udp,eth1,input): 19 packet(s).
> Port netbios-dgm (udp,eth1,input): 475 packet(s).
> Port netbios-ns (udp,eth1,input): 2259 packet(s).
> Total of 2753 packet(s).
>
> Thanks,
Steve
- -----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 7.0.3 for non-commercial use
<http://www.pgp.com>
iQA/AwUBO9m43caXTGgZdrSUEQIcvgCfZ+8J4IIJNGsEITW9jBHaEhU0bFUAoME/
jsdkTYNv3uylkRyyhvvyuQzi
=mXgL
- -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0.4
iQA/AwUBO9oGZC1iZLqbmZBAEQLo4gCePtPgbmsrL5eHWk9/W2iUoaEcIcYAoIpE
IMQA6wrhS5H/B9+hXe6wDCDa
=gMzs
-----END PGP SIGNATURE-----
