All, Part of the non-routable portion there comes from the "Best current Practice" standard listed in RFC 2827. Implementing Ingress filtering.
This RFC goes beyond just not routing RFC 1918 (Private networks IE 10.x.x.x 192.168.x.x). It even reccomends 127.x.x.x and 224.x.x.x - 255.x.x.x. Most ISP's do this. From what I have seen the ones that don't are not using out of band management to the router and network devices. Or they are using the same network, to manage the devices as they are for you to use them. This can be considered a security problem in and of itself. And this is where the small ISP or an ISP that is growing exponentially could be causing you a problem. I would reccomend that you configure RFC 2827 filtering on you Border router, in case you feel the ISP is not. And then I would setup a Syslog server to capture logs of when the Access Lists catch this. Remember that if you can't afford the overhead of the ACL, just use a Null route to block it. these last 2 items consider that you have a router that can do this. Hope this helps. Jim McBurnett CCNA, MCSE, MCP -----Original Message----- From: Andrew Blevins [mailto:[EMAIL PROTECTED]] Sent: Tuesday, October 30, 2001 11:29 AM To: 'Moo'; security-basics Subject: RE: help - can someone explain this to me? I don't feel too ignorant, since this is "Security Basics"! I learn every day from this list. However, I think that saying 10.x.x.x , 172.16-31.x.x ,192.168.x.x addressses are "non-routable", as many have said, is misleading. As far as I understand it, they only thing that makes these "non-routable" is if router's and such are configured to make them so. These addresses are just as routable as any other address, its just that RFC 1918 has standardized them to not be routed. Obviously, any ISP or WAN admin worth a buck is going to use NAT and access lists and all that to make sure that none of these addresses exist on the internet. Andrew Blevins -----Original Message----- From: Moo [mailto:[EMAIL PROTECTED]] Sent: Monday, October 29, 2001 12:53 PM To: security-basics Subject: Re: help - can someone explain this to me? but that does not explain why he is gettings hits by non routable ip addresses..even if they were natted they would show the NAT external address .not the internal address and yes 10.x.x.x , 172.16-31.x.x ,192.168.x.x are non routable (RFC 1918) perhaps you should email the abuse lines for the other adddress ...thats my 2 cents Fraser Morehouse CCNP/CCDA ----- Original Message ----- From: "Lutz Badenheuer" <[EMAIL PROTECTED]> To: "security-basics" <[EMAIL PROTECTED]> Sent: Friday, October 26, 2001 7:41 PM Subject: Re: help - can someone explain this to me? > Please have another look at your documentation. The so-called > "unregistered" IP-addresses are 10.0.0.0/8, 172.0.0.0/16 (i think, i > don't use these ones) and 192.168.0.0/16. > > In fact, to me it doesn't seem that one of the denied connects listed > below could have done any harm to your system. In fact, you shouldn't > be too serious about the connects on ports "netbios-.*" (137, 139), > because that is normal windows file sharing and can be seen within > every network that has Wintendo boxes in it. > > Possibly, your log files filled up your harddisk so that the machine > crashed. > > If those connects where all within a short period of time and you've > not seen connects like these in this massive amount before, something > changed in that network, and your ISP should immediately scan his > boxes for the Nimda worm. He could be vulnearable because of using > the inherently insecure Windows operating system. Nimda replicates > (among other mechanisms) using these ports which are used by the SMB > protocol. This worm cannot do any harm to your Linux box. > > RedHat 6.1 is a very, very old release and can be easily attacked by > using information or ready-to-use exploits that can be found at > rootshell.com or similar sites. You should upgrade IMMEDIATELY - that > means, NOW! > > Sorry for any inconveniences because of my bad english, but i'm a > german and suffer from a lack of training in that language. > > HTH, > Lutz > > Am Freitag, 26. Oktober 2001 21:26 schrieb scott [gts]: > > im pretty sure that 10.*, 127.* and 198.* are not routable > > on the internet (which is why so many LANs use them), so it > > looks like whatever happened to your machine is coming > > from inside the LAN where your machine is hosted. > > > > perhaps a machine that the ISP hosts is infected with something > > and throwing out packets to everything on the LAN...? > > (maybe it's another damn IIS worm, since it appears > > that your ISP hosts mostly NT/IIS machines) > > > > but dont take my word, that's just a speculation, i'm > > not a networking specialist or anything. > > > > > -----Original Message----- > > > From: Steven M Bloomfield [mailto:[EMAIL PROTECTED]] > > > Subject: help - can someone explain this to me? > > > > > > Hi, > > > I'm webmaster of a large-ish website and yesterday the server > > > went down. It is a Redhat 6.1 Linux server. All my ISP would do > > > was press the 'reset' button - very kind of them (they are NT > > > specialists). > > > Inspecting my log files I found thousands of denied packets, all > > > seem to be within a period of 6 hours. > > > My question is, could such an attack disable my machine and crash > > > it? Can anyone identify what sort of attack it was? > > > > > > Here's a summary below: > > > > > > Denied packets from modem-392.awesome.dialup.pol.co.uk > > > (62.25.129.136). Port https (tcp,eth0,input): 5 packet(s). > > > Total of 5 packet(s). > > > > > > Denied packets from 10.10.71.237. > > > Port netbios-dgm (udp,eth1,input): 69 packet(s). > > > Port netbios-ns (udp,eth1,input): 333 packet(s). > > > Total of 402 packet(s). > > > > > > Denied packets from 10.10.0.4. > > > Port netbios-dgm (udp,eth1,input): 496 packet(s). > > > Port netbios-ns (udp,eth1,input): 2925 packet(s). > > > Total of 3421 packet(s). > > > > > > Denied packets from userSg017.videon.wave.ca (204.112.48.37). > > > Port 500 (udp,eth0,input): 6 packet(s). > > > Total of 6 packet(s). > > > > > > Denied packets from 207.190.199.102. > > > Port https (tcp,eth0,input): 11 packet(s). > > > Total of 11 packet(s). > > > > > > Denied packets from 10.10.32.21. > > > Port netbios-dgm (udp,eth1,input): 338 packet(s). > > > Port netbios-ns (udp,eth1,input): 1742 packet(s). > > > Total of 2080 packet(s). > > > > > > Denied packets from 172.17.0.18. > > > Port 1434 (udp,eth1,input): 2 packet(s). > > > Total of 2 packet(s). > > > > > > Denied packets from 10.10.1.37. > > > Port netbios-dgm (udp,eth1,input): 496 packet(s). > > > Port netbios-ns (udp,eth1,input): 2925 packet(s). > > > Total of 3421 packet(s). > > > > > > Denied packets from 10.10.32.27. > > > Port netbios-dgm (udp,eth1,input): 59 packet(s). > > > Port netbios-ns (udp,eth1,input): 324 packet(s). > > > Total of 383 packet(s). > > > > > > Denied packets from 10.10.32.28. > > > Port netbios-dgm (udp,eth1,input): 107 packet(s). > > > Port netbios-ns (udp,eth1,input): 513 packet(s). > > > Total of 620 packet(s). > > > > > > Denied packets from 10.10.0.1. > > > Port 0 (tcp,eth1,input): 3 packet(s). > > > Total of 3 packet(s). > > > > > > Denied packets from 10.10.0.3. > > > Port bootpc (udp,eth1,input): 19 packet(s). > > > Port netbios-dgm (udp,eth1,input): 475 packet(s). > > > Port netbios-ns (udp,eth1,input): 2259 packet(s). > > > Total of 2753 packet(s). > > > > > > Thanks, > > > > Steve > > -- > Microsoft's Software ist zu 99 % von UNIX abgeschrieben. 1 % dient > dazu, MS zum Rest der Welt inkompatibel zu machen. > Lutz Badenheuer | IT-Consulting, Development, Networksolutions > [EMAIL PROTECTED] | C/C++, Perl, bash | Linux, SCO UNIX, Solaris >
