You are absolutely correct, they are routable within the local network, but you have to use NAT to get out to the internet. That may be why you see admins stating that they are not. I know that some of the training that I've had, it's been stressed that the 10.x, 127.x, and the 192.x addresses can't be routed. I know that this is true in the grand scheme of far side access, but you can route and switch them on the near side. In a dedicated frame relay or better type network that has clients hardwired to a LAN/WAN environment, you are only routing to the intranet, you still have to NAT to get to the internet.
Robert Clark MCSE, MCP+I, MCP, A+ MIS - Texas Cellular > -----Original Message----- > From: Estis, Kevin A. [mailto:[EMAIL PROTECTED]] > Sent: Monday, October 29, 2001 12:23 PM > To: 'Andrew Blevins'; 'scott [gts]'; security-basics > Subject: RE: help - can someone explain this to me? > > > It is true that the addresses *can* be routed; however, they > are not routed on or over the Internet. Several large public > and private networks use these internal addresses on their > private networks (WANS covering not only the US, but also > other regions). It is also true that internal addresses are > often spoofed. The only way to determine if they originated > on the local LAN/network is to check the local switch routing > tables for the associated MAC addresses (assuming they were > logged). Checking the local switch routing tables will > eventually allow you to trace the device back to a physical > network port and location. There are software packages out > there for network management and sniffing that help to > automate this process (Network Instruments Observer, NAI > Sniffer, CiscoWorks, etc.). > > Regards, > > Kevin > > -----Original Message----- > From: Andrew Blevins [mailto:[EMAIL PROTECTED]] > Sent: Friday, October 26, 2001 6:02 PM > To: 'scott [gts]'; security-basics > Subject: RE: help - can someone explain this to me? > > > That these reserved addresses can't be routed I don't think > is entirely true (but I'm not a network spec. either! :-) . I > have seen many ISP's use 10. addresses for their own routers, > and for all intent's and purposes "The Internet" includes > some ISP networks (cable, DSL). It is very possible that > someone is spoofing those 10. addresses, and they are still > being routed through to your box. many times a DoS contains > many spoofed source addresses. > > Andrew Blevins > Arrowhead Help Desk > 1-800-669-1889 > x. 8569 > > > -----Original Message----- > From: scott [gts] [mailto:[EMAIL PROTECTED]] > Sent: Friday, October 26, 2001 12:26 PM > To: security-basics > Subject: RE: help - can someone explain this to me? > > > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > im pretty sure that 10.*, 127.* and 198.* are not routable > on the internet (which is why so many LANs use them), so it > looks like whatever happened to your machine is coming from > inside the LAN where your machine is hosted. > > perhaps a machine that the ISP hosts is infected with > something and throwing out packets to everything on the > LAN...? (maybe it's another damn IIS worm, since it appears > that your ISP hosts mostly NT/IIS machines) > > but dont take my word, that's just a speculation, i'm > not a networking specialist or anything. > > > -----Original Message----- > > From: Steven M Bloomfield [mailto:[EMAIL PROTECTED]] > > Subject: help - can someone explain this to me? > > > > Hi, > > I'm webmaster of a large-ish website and yesterday the > server went > down. > > It is a Redhat 6.1 Linux server. All my ISP would do was press the > 'reset' > > button - very kind of them (they are NT specialists). Inspecting my > > log files I found thousands of denied packets, all seem to > be > > within a period of 6 hours. > > My question is, could such an attack disable my machine and > crash it? > > Can anyone identify what sort of attack it was? > > > > Here's a summary below: > > > > Denied packets from modem-392.awesome.dialup.pol.co.uk > (62.25.129.136). > > Port https (tcp,eth0,input): 5 packet(s). > > Total of 5 packet(s). > > > > Denied packets from 10.10.71.237. > > Port netbios-dgm (udp,eth1,input): 69 packet(s). > > Port netbios-ns (udp,eth1,input): 333 packet(s). > > Total of 402 packet(s). > > > > Denied packets from 10.10.0.4. > > Port netbios-dgm (udp,eth1,input): 496 packet(s). > > Port netbios-ns (udp,eth1,input): 2925 packet(s). > > Total of 3421 packet(s). > > > > Denied packets from userSg017.videon.wave.ca (204.112.48.37). > > Port 500 (udp,eth0,input): 6 packet(s). > > Total of 6 packet(s). > > > > Denied packets from 207.190.199.102. > > Port https (tcp,eth0,input): 11 packet(s). > > Total of 11 packet(s). > > > > Denied packets from 10.10.32.21. > > Port netbios-dgm (udp,eth1,input): 338 packet(s). > > Port netbios-ns (udp,eth1,input): 1742 packet(s). > > Total of 2080 packet(s). > > > > Denied packets from 172.17.0.18. > > Port 1434 (udp,eth1,input): 2 packet(s). > > Total of 2 packet(s). > > > > Denied packets from 10.10.1.37. > > Port netbios-dgm (udp,eth1,input): 496 packet(s). > > Port netbios-ns (udp,eth1,input): 2925 packet(s). > > Total of 3421 packet(s). > > > > Denied packets from 10.10.32.27. > > Port netbios-dgm (udp,eth1,input): 59 packet(s). > > Port netbios-ns (udp,eth1,input): 324 packet(s). > > Total of 383 packet(s). > > > > Denied packets from 10.10.32.28. > > Port netbios-dgm (udp,eth1,input): 107 packet(s). > > Port netbios-ns (udp,eth1,input): 513 packet(s). > > Total of 620 packet(s). > > > > Denied packets from 10.10.0.1. > > Port 0 (tcp,eth1,input): 3 packet(s). > > Total of 3 packet(s). > > > > Denied packets from 10.10.0.3. > > Port bootpc (udp,eth1,input): 19 packet(s). > > Port netbios-dgm (udp,eth1,input): 475 packet(s). > > Port netbios-ns (udp,eth1,input): 2259 packet(s). > > Total of 2753 packet(s). > > > > Thanks, > Steve > > -----BEGIN PGP SIGNATURE----- > Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com> > > iQA/AwUBO9m43caXTGgZdrSUEQIcvgCfZ+8J4IIJNGsEITW9jBHaEhU0bFUAoME/ > jsdkTYNv3uylkRyyhvvyuQzi > =mXgL > -----END PGP SIGNATURE----- >
