> Since 192.168 is a non-routeable IP (ie: wont reach the
> Internet), it's
> no real surprise that nothing answered you from 100 subnet.
>
> Unless you are running several computers, connected to a single
> hub/switch, with IP addresses of 192.168.100.xxx, you will not reach
> anything.
You'll be able to "reach" a lot of things, but since they can't
get an answer back to you, the TCP handshake will fail.
> There should be no way that a traceroute from an internal IP address
> should go through an external IP and back to an internal IP.
>
> Is your NIC configure with both an internal and external IP?
In order to get back answers to you, your outbound traceroute
requests will need a public IP address as source if they go beyond
your enterprise network. NAT can take care of that.
Some of the answers may come from devices which are part of
networks that also use RFC1918 addresses. Unless they implement
NAT at their borders -- NOT a good idea for long-haul bandwidth
providers! -- you will see these addresses listed in the traceroute.
That does NOT mean that you can talk directly to those devices
using those addresses....
> jim: 3. I recently checked my firewall (Network ICE), and
> noticed an attack
> jim: from this IP: 192.168.1.113. I tried to ping the
> attacking IP, but no
> jim: response. The attack details were these:
> jim: TCP OS Fingerprint, and then FTP Port Probe. Does this
> make any sense?
> jim: How can someone use a supposedly local IP (192.168) to
> attack me?
> jim: (Cable modem with 2 computers hooked up).
>
> Spoofed source IP address.
Not even.
But note that it's possible to do damage with a single ICMP or
UDP packet (e.g. Slammer...). If the attacker doesn't need to
get an answer back, there's no need for the source address to be
valid/reachable.
>
> As mentioned above, the class "B" 192.168.xxx.yyy IPs and class
> "A" 10.xxx.yyy.zzz IPs (as well as a class "C" set of IP addresses)
> are not routeable.
1. 192.168.x.x *is* Class "C". The class B range is 172.16.x.x
through 172.31.x.x.
2. "not routeable" is a very misleading term, because it's perfectly
legal to implement routing for them between subnets within an enterprise
network.
What's NOT legal is to broadcast these routes to the global Internet,
where they would conflict with every other enterprise that also uses
them.
David Gillett
---------------------------------------------------------------------------
Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
The Gartner Group just put Neoteris in the top of its Magic Quadrant,
while InStat has confirmed Neoteris as the leader in marketshare.
Find out why, and see how you can get plug-n-play secure remote access in
about an hour, with no client, server changes, or ongoing maintenance.
Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
----------------------------------------------------------------------------
