It is true that the addresses *can* be routed; however, they are not routed on or over the Internet. Several large public and private networks use these internal addresses on their private networks (WANS covering not only the US, but also other regions). It is also true that internal addresses are often spoofed. The only way to determine if they originated on the local LAN/network is to check the local switch routing tables for the associated MAC addresses (assuming they were logged). Checking the local switch routing tables will eventually allow you to trace the device back to a physical network port and location. There are software packages out there for network management and sniffing that help to automate this process (Network Instruments Observer, NAI Sniffer, CiscoWorks, etc.).
Regards, Kevin -----Original Message----- From: Andrew Blevins [mailto:[EMAIL PROTECTED]] Sent: Friday, October 26, 2001 6:02 PM To: 'scott [gts]'; security-basics Subject: RE: help - can someone explain this to me? That these reserved addresses can't be routed I don't think is entirely true (but I'm not a network spec. either! :-) . I have seen many ISP's use 10. addresses for their own routers, and for all intent's and purposes "The Internet" includes some ISP networks (cable, DSL). It is very possible that someone is spoofing those 10. addresses, and they are still being routed through to your box. many times a DoS contains many spoofed source addresses. Andrew Blevins Arrowhead Help Desk 1-800-669-1889 x. 8569 -----Original Message----- From: scott [gts] [mailto:[EMAIL PROTECTED]] Sent: Friday, October 26, 2001 12:26 PM To: security-basics Subject: RE: help - can someone explain this to me? -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 im pretty sure that 10.*, 127.* and 198.* are not routable on the internet (which is why so many LANs use them), so it looks like whatever happened to your machine is coming from inside the LAN where your machine is hosted. perhaps a machine that the ISP hosts is infected with something and throwing out packets to everything on the LAN...? (maybe it's another damn IIS worm, since it appears that your ISP hosts mostly NT/IIS machines) but dont take my word, that's just a speculation, i'm not a networking specialist or anything. > -----Original Message----- > From: Steven M Bloomfield [mailto:[EMAIL PROTECTED]] > Subject: help - can someone explain this to me? > > Hi, > I'm webmaster of a large-ish website and yesterday the server went down. > It is a Redhat 6.1 Linux server. All my ISP would do was press the 'reset' > button - very kind of them (they are NT specialists). > Inspecting my log files I found thousands of denied packets, all seem to be > within a period of 6 hours. > My question is, could such an attack disable my machine and crash it? Can > anyone identify what sort of attack it was? > > Here's a summary below: > > Denied packets from modem-392.awesome.dialup.pol.co.uk (62.25.129.136). > Port https (tcp,eth0,input): 5 packet(s). > Total of 5 packet(s). > > Denied packets from 10.10.71.237. > Port netbios-dgm (udp,eth1,input): 69 packet(s). > Port netbios-ns (udp,eth1,input): 333 packet(s). > Total of 402 packet(s). > > Denied packets from 10.10.0.4. > Port netbios-dgm (udp,eth1,input): 496 packet(s). > Port netbios-ns (udp,eth1,input): 2925 packet(s). > Total of 3421 packet(s). > > Denied packets from userSg017.videon.wave.ca (204.112.48.37). > Port 500 (udp,eth0,input): 6 packet(s). > Total of 6 packet(s). > > Denied packets from 207.190.199.102. > Port https (tcp,eth0,input): 11 packet(s). > Total of 11 packet(s). > > Denied packets from 10.10.32.21. > Port netbios-dgm (udp,eth1,input): 338 packet(s). > Port netbios-ns (udp,eth1,input): 1742 packet(s). > Total of 2080 packet(s). > > Denied packets from 172.17.0.18. > Port 1434 (udp,eth1,input): 2 packet(s). > Total of 2 packet(s). > > Denied packets from 10.10.1.37. > Port netbios-dgm (udp,eth1,input): 496 packet(s). > Port netbios-ns (udp,eth1,input): 2925 packet(s). > Total of 3421 packet(s). > > Denied packets from 10.10.32.27. > Port netbios-dgm (udp,eth1,input): 59 packet(s). > Port netbios-ns (udp,eth1,input): 324 packet(s). > Total of 383 packet(s). > > Denied packets from 10.10.32.28. > Port netbios-dgm (udp,eth1,input): 107 packet(s). > Port netbios-ns (udp,eth1,input): 513 packet(s). > Total of 620 packet(s). > > Denied packets from 10.10.0.1. > Port 0 (tcp,eth1,input): 3 packet(s). > Total of 3 packet(s). > > Denied packets from 10.10.0.3. > Port bootpc (udp,eth1,input): 19 packet(s). > Port netbios-dgm (udp,eth1,input): 475 packet(s). > Port netbios-ns (udp,eth1,input): 2259 packet(s). > Total of 2753 packet(s). > > Thanks, Steve -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com> iQA/AwUBO9m43caXTGgZdrSUEQIcvgCfZ+8J4IIJNGsEITW9jBHaEhU0bFUAoME/ jsdkTYNv3uylkRyyhvvyuQzi =mXgL -----END PGP SIGNATURE-----
