[100808] in North American Network Operators' Group
RE: General question on rfc1918
daemon@ATHENA.MIT.EDU (Darden, Patrick S.)
Tue Nov 13 10:17:24 2007
Date: Tue, 13 Nov 2007 10:14:28 -0500
In-Reply-To: <B7152C470C9BF3448ED33F16A75D81C14D0FDF0265@exchanga.thenap.com>
From: "Darden, Patrick S." <darden@armc.org>
To: "Drew Weaver" <drew.weaver@thenap.com>, <nanog@merit.edu>
Errors-To: owner-nanog@merit.edu
They do. What you are seeing are probably forged packets. Nmap etc. =
all let you forge SIP, in fact they automate it. One Nmap mode actually =
actively obfuscates network scans by doing random SIPs--e.g. 10,000 =
random SIPs and one real one--this makes it hard to figure out who is =
actually scanning your networks.
Of course, if you don't filter incoming traffic on your inner =
interfaces, then the traffic could be from your own network. A lot of =
people filter only on their external ints:
outgoing traffic limited to [mynetwork1, mynetwork2, mynetwork3]
incoming traffic limited to [public IP addresses]
Make sense?
--Patrick Darden
--Internetworking Manager
--ARMC
-----Original Message-----
From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu]On Behalf Of
Drew Weaver
Sent: Tuesday, November 13, 2007 10:09 AM
To: nanog@merit.edu
Subject: General question on rfc1918
Hi there, I just had a real quick question. I hope this is found =
to be on topic.
Is it to be expected to see rfc1918 src'd packets coming from transit =
carriers?
We have filters in place on our edge (obviously) but should we be seeing =
traffic from 192.168.0.0 and 10.0.0.0 et cetera hitting our transit =
interfaces?
I guess I'm not sure why large carrier networks wouldn't simply filter =
this in their core?
Thanks,
-Drew
