[107365] in North American Network Operators' Group
198.32.64.12 -- Harmless mis-route or potential exploit?
daemon@ATHENA.MIT.EDU (Dan Mahoney, System Admin)
Tue Sep 2 18:24:37 2008
Date: Tue, 2 Sep 2008 18:24:21 -0400 (EDT)
From: "Dan Mahoney, System Admin" <danm@prime.gushi.org>
To: nanog@merit.edu
Errors-To: nanog-bounces@nanog.org
Hello all,
While recently trying to debug a CEF issue, I found a good number of
packets in my "debug cef drops" output that were all directed at
198.32.64.12 (which I see as being allocated to ep.net but completely
unused).
Sep 2 22:03:25: CEF-Drop: Packet for 198.32.64.12 -- no route
Sep 2 22:03:25: CEF-Drop: Packet for 198.32.64.12 -- no route
Sep 2 22:03:25: CEF-Drop: Packet for 198.32.64.12 -- no route
Sep 2 22:03:25: CEF-Drop: Packet for 198.32.64.12 -- no route
Sep 2 22:03:25: CEF-Drop: Packet for 198.32.64.12 -- no route
Sep 2 22:03:25: CEF-Drop: Packet for 198.32.64.12 -- no route
Sep 2 22:03:25: CEF-Drop: Packet for 198.32.64.12 -- no route
Sep 2 22:03:25: CEF-Drop: Packet for 198.32.64.12 -- no route
Now, as nearly as I can tell, this IP address has never been used for
anything, but I see occasional references to it, such as here:
http://www.honeynet.org/papers/forensics/exploit.html
So the question is, should I just ignore this as a properly dropped packet
due to "no route" (this provider is running defaultless, so unless such a
route exists, it should be okay).
On the other hand, one of the other packets I'm seeing specifically refers
to a DNS exploit, so should I then dispatch to people to trace down the
source origin ? (Suffice it to say the resources are there to find it
fairly easily, even if the source address is forged).
-Dan
--
--------Dan Mahoney--------
Techie, Sysadmin, WebGeek
Gushi on efnet/undernet IRC
ICQ: 13735144 AIM: LarpGM
Site: http://www.gushi.org
---------------------------
