Just because the addresses are RFC unroutable does not mean that all routers on the Internet drop those IPs. It would be nice if they did, but ISPs have to specifically set those rules. Also, it is possible that the ISP is using a natting router internally. They may have a large internal network that nats to only dozens of IP addresses so as not to use up all of their IPs for dialup users. One thing you could try is to traceroute to the source IPs. See if they are close by, how many hops away..
Moo wrote: >but that does not explain why he is gettings hits by non routable ip >addresses..even if they were natted they would show the NAT external address >..not the internal address >and yes 10.x.x.x , 172.16-31.x.x ,192.168.x.x are non routable (RFC 1918) >perhaps you should email the abuse lines for the other adddress ...thats my >2 cents > >Fraser Morehouse >CCNP/CCDA >----- Original Message ----- >From: "Lutz Badenheuer" <[EMAIL PROTECTED]> >To: "security-basics" <[EMAIL PROTECTED]> >Sent: Friday, October 26, 2001 7:41 PM >Subject: Re: help - can someone explain this to me? > > >>Please have another look at your documentation. The so-called >>"unregistered" IP-addresses are 10.0.0.0/8, 172.0.0.0/16 (i think, i >>don't use these ones) and 192.168.0.0/16. >> >>In fact, to me it doesn't seem that one of the denied connects listed >>below could have done any harm to your system. In fact, you shouldn't >>be too serious about the connects on ports "netbios-.*" (137, 139), >>because that is normal windows file sharing and can be seen within >>every network that has Wintendo boxes in it. >> >>Possibly, your log files filled up your harddisk so that the machine >>crashed. >> >>If those connects where all within a short period of time and you've >>not seen connects like these in this massive amount before, something >>changed in that network, and your ISP should immediately scan his >>boxes for the Nimda worm. He could be vulnearable because of using >>the inherently insecure Windows operating system. Nimda replicates >>(among other mechanisms) using these ports which are used by the SMB >>protocol. This worm cannot do any harm to your Linux box. >> >>RedHat 6.1 is a very, very old release and can be easily attacked by >>using information or ready-to-use exploits that can be found at >>rootshell.com or similar sites. You should upgrade IMMEDIATELY - that >>means, NOW! >> >>Sorry for any inconveniences because of my bad english, but i'm a >>german and suffer from a lack of training in that language. >> >>HTH, >>Lutz >> >>Am Freitag, 26. Oktober 2001 21:26 schrieb scott [gts]: >> >>>im pretty sure that 10.*, 127.* and 198.* are not routable >>>on the internet (which is why so many LANs use them), so it >>>looks like whatever happened to your machine is coming >>>from inside the LAN where your machine is hosted. >>> >>>perhaps a machine that the ISP hosts is infected with something >>>and throwing out packets to everything on the LAN...? >>>(maybe it's another damn IIS worm, since it appears >>> that your ISP hosts mostly NT/IIS machines) >>> >>>but dont take my word, that's just a speculation, i'm >>>not a networking specialist or anything. >>> >>>>-----Original Message----- >>>>From: Steven M Bloomfield [mailto:[EMAIL PROTECTED]] >>>>Subject: help - can someone explain this to me? >>>> >>>>Hi, >>>> I'm webmaster of a large-ish website and yesterday the server >>>>went down. It is a Redhat 6.1 Linux server. All my ISP would do >>>>was press the 'reset' button - very kind of them (they are NT >>>>specialists). >>>>Inspecting my log files I found thousands of denied packets, all >>>>seem to be within a period of 6 hours. >>>>My question is, could such an attack disable my machine and crash >>>>it? Can anyone identify what sort of attack it was? >>>> >>>>Here's a summary below: >>>> >>>>Denied packets from modem-392.awesome.dialup.pol.co.uk >>>>(62.25.129.136). Port https (tcp,eth0,input): 5 packet(s). >>>>Total of 5 packet(s). >>>> >>>>Denied packets from 10.10.71.237. >>>> Port netbios-dgm (udp,eth1,input): 69 packet(s). >>>> Port netbios-ns (udp,eth1,input): 333 packet(s). >>>>Total of 402 packet(s). >>>> >>>>Denied packets from 10.10.0.4. >>>> Port netbios-dgm (udp,eth1,input): 496 packet(s). >>>> Port netbios-ns (udp,eth1,input): 2925 packet(s). >>>>Total of 3421 packet(s). >>>> >>>>Denied packets from userSg017.videon.wave.ca (204.112.48.37). >>>> Port 500 (udp,eth0,input): 6 packet(s). >>>>Total of 6 packet(s). >>>> >>>>Denied packets from 207.190.199.102. >>>> Port https (tcp,eth0,input): 11 packet(s). >>>>Total of 11 packet(s). >>>> >>>>Denied packets from 10.10.32.21. >>>> Port netbios-dgm (udp,eth1,input): 338 packet(s). >>>> Port netbios-ns (udp,eth1,input): 1742 packet(s). >>>>Total of 2080 packet(s). >>>> >>>>Denied packets from 172.17.0.18. >>>> Port 1434 (udp,eth1,input): 2 packet(s). >>>>Total of 2 packet(s). >>>> >>>>Denied packets from 10.10.1.37. >>>> Port netbios-dgm (udp,eth1,input): 496 packet(s). >>>> Port netbios-ns (udp,eth1,input): 2925 packet(s). >>>>Total of 3421 packet(s). >>>> >>>>Denied packets from 10.10.32.27. >>>> Port netbios-dgm (udp,eth1,input): 59 packet(s). >>>> Port netbios-ns (udp,eth1,input): 324 packet(s). >>>>Total of 383 packet(s). >>>> >>>>Denied packets from 10.10.32.28. >>>> Port netbios-dgm (udp,eth1,input): 107 packet(s). >>>> Port netbios-ns (udp,eth1,input): 513 packet(s). >>>>Total of 620 packet(s). >>>> >>>>Denied packets from 10.10.0.1. >>>> Port 0 (tcp,eth1,input): 3 packet(s). >>>>Total of 3 packet(s). >>>> >>>>Denied packets from 10.10.0.3. >>>> Port bootpc (udp,eth1,input): 19 packet(s). >>>> Port netbios-dgm (udp,eth1,input): 475 packet(s). >>>> Port netbios-ns (udp,eth1,input): 2259 packet(s). >>>>Total of 2753 packet(s). >>>> >>>>Thanks, >>>> >>>Steve >>> >>-- >>Microsoft's Software ist zu 99 % von UNIX abgeschrieben. 1 % dient >>dazu, MS zum Rest der Welt inkompatibel zu machen. >>Lutz Badenheuer | IT-Consulting, Development, Networksolutions >>[EMAIL PROTECTED] | C/C++, Perl, bash | Linux, SCO UNIX, Solaris >> >
