[107366] in North American Network Operators' Group
Re: 198.32.64.12 -- Harmless mis-route or potential exploit?
daemon@ATHENA.MIT.EDU (Gadi Evron)
Tue Sep 2 18:28:45 2008
Date: Tue, 2 Sep 2008 17:28:36 -0500 (CDT)
From: Gadi Evron <ge@linuxbox.org>
To: "Dan Mahoney, System Admin" <danm@prime.gushi.org>
In-Reply-To: <alpine.BSF.1.10.0809021808500.83763@prime.gushi.org>
Cc: nanog@merit.edu
Errors-To: nanog-bounces@nanog.org
My profile and resume: http://www.linkedin.com/in/gadievron
On Tue, 2 Sep 2008, Dan Mahoney, System Admin wrote:
> Hello all,
>
> While recently trying to debug a CEF issue, I found a good number of packets
> in my "debug cef drops" output that were all directed at 198.32.64.12 (which
> I see as being allocated to ep.net but completely unused).
>
> Sep 2 22:03:25: CEF-Drop: Packet for 198.32.64.12 -- no route
> Sep 2 22:03:25: CEF-Drop: Packet for 198.32.64.12 -- no route
> Sep 2 22:03:25: CEF-Drop: Packet for 198.32.64.12 -- no route
> Sep 2 22:03:25: CEF-Drop: Packet for 198.32.64.12 -- no route
> Sep 2 22:03:25: CEF-Drop: Packet for 198.32.64.12 -- no route
> Sep 2 22:03:25: CEF-Drop: Packet for 198.32.64.12 -- no route
> Sep 2 22:03:25: CEF-Drop: Packet for 198.32.64.12 -- no route
> Sep 2 22:03:25: CEF-Drop: Packet for 198.32.64.12 -- no route
>
> Now, as nearly as I can tell, this IP address has never been used for
> anything, but I see occasional references to it, such as here:
>
> http://www.honeynet.org/papers/forensics/exploit.html
>
> So the question is, should I just ignore this as a properly dropped packet
> due to "no route" (this provider is running defaultless, so unless such a
> route exists, it should be okay).
>
> On the other hand, one of the other packets I'm seeing specifically refers to
> a DNS exploit, so should I then dispatch to people to trace down the source
> origin ? (Suffice it to say the resources are there to find it fairly
> easily, even if the source address is forged).
It should be treated as an intelligence source, sharing that one openly is
probably counter-productive.
Regardless, very interesting. I think follow-up just for interest's sake
may be worth it.
> -Dan
>
> --
>
> --------Dan Mahoney--------
> Techie, Sysadmin, WebGeek
> Gushi on efnet/undernet IRC
> ICQ: 13735144 AIM: LarpGM
> Site: http://www.gushi.org
> ---------------------------
>
>
