jim: Date: Mon, 7 Jul 2003 20:27:17 -0400 jim: From: Jim <[EMAIL PROTECTED]> jim: To: [EMAIL PROTECTED] jim: Subject: Questions about 192.168 jim: jim: Hi, jim: jim: I've been following some of the conversations about 192.168 networks, jim: and tried some experimentation, and came up with a few questions: jim: jim: 1. I've tried the technique mentioned to ping the broadcast address, jim: and then check arp -a (on Windows 2000 machines). This didn't seem to jim: work. For example, I pinged 192.168.100.255. This should add all jim: 192.168.100.x IPs into my arp cache, right? But my cable modem didn't jim: show up in my arp cache after doing this. However, when I pinged my jim: cable modem directly (192.168.100.1), it did show up in my arp cache. I jim: tried this on a computer on the Internet (which I telneted to), with jim: similar results. (Is it because Microsoft recognizes 192.168.100.255 as jim: a valid IP?). When I do a traceroute to my cable modem (192.168.100.1), jim: it is a direct hop.
Since 192.168 is a non-routeable IP (ie: wont reach the Internet), it's no real surprise that nothing answered you from 100 subnet. Unless you are running several computers, connected to a single hub/switch, with IP addresses of 192.168.100.xxx, you will not reach anything. jim: 2. However, with the computer on the Internet I mentioned (which I am jim: telneting to), there were the following IPs: 192.168.1.0, 192.168.1.1, jim: 192.168.1.2, 192.168.1.3, and 192.168.1.255 - which I found through jim: doing an nmap scan. (pinging 192.168.1.255 produced no results in the jim: arp table) Three are apparently Cisco routers (192.168.1.0 and jim: 192.168.1.255 are both ping-able). When doing nmap, it shows jim: 192.168.1.255 as remote, the others as local. However, when I do a jim: traceroute on these supposedly local ones, it shows a number of hops out jim: over the Internet, implying that they are not connected locally. Does jim: this make sense? Something is misconfigured, and considered to be a security threat. There should be no way that a traceroute from an internal IP address should go through an external IP and back to an internal IP. Is your NIC configure with both an internal and external IP? jim: 3. I recently checked my firewall (Network ICE), and noticed an attack jim: from this IP: 192.168.1.113. I tried to ping the attacking IP, but no jim: response. The attack details were these: jim: TCP OS Fingerprint, and then FTP Port Probe. Does this make any sense? jim: How can someone use a supposedly local IP (192.168) to attack me? jim: (Cable modem with 2 computers hooked up). Spoofed source IP address. jim: So can someone clarify these things? IE, why does it look like the only jim: way to really detect 192.168 devices on your network is to scan for them jim: - in other words, the pinging of the broadcast address doesn't work (or jim: am I pinging the wrong broadcast address?). Why do 192.168 devices, jim: which are supposed to be local, have a number of (internet) hops between jim: them when you ping them? And can anyone explain how someone could jim: attack me via my cable modem, with a source address of 192.168.1.113 jim: (which I was unable to ping or otherwise detect)? In general, why don't jim: these 192.168 addresses show up in the routing table, netstat, etc.? jim: jim: Thanks, jim: jim: Jim As mentioned above, the class "B" 192.168.xxx.yyy IPs and class "A" 10.xxx.yyy.zzz IPs (as well as a class "C" set of IP addresses) are not routeable. HTH Thanks Scott Birl http://concept.temple.edu/sysadmin/ Senior Systems Administrator Computer Services Temple University ====*====*====*====*====*====*====*====+====*====*====*====*====*====*====*====* --------------------------------------------------------------------------- Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts! The Gartner Group just put Neoteris in the top of its Magic Quadrant, while InStat has confirmed Neoteris as the leader in marketshare. Find out why, and see how you can get plug-n-play secure remote access in about an hour, with no client, server changes, or ongoing maintenance. Visit us at: http://www.neoteris.com/promos/sf-6-9.htm ----------------------------------------------------------------------------
