[107368] in North American Network Operators' Group
Re: 198.32.64.12 -- Harmless mis-route or potential exploit?
daemon@ATHENA.MIT.EDU (Paul Wall)
Tue Sep 2 18:44:51 2008
Date: Tue, 2 Sep 2008 18:44:44 -0400
From: "Paul Wall" <pauldotwall@gmail.com>
To: "Gadi Evron" <ge@linuxbox.org>
In-Reply-To: <Pine.LNX.4.62.0809021727471.23435@linuxbox.org>
Cc: nanog@merit.edu
Errors-To: nanog-bounces@nanog.org
Gadi,
Could you please take the self-promotion offline already? Enough is
enough! I don't think anybody on this list is interested in hiring
you or reviewing your resume!
(It could be argued that my post is off-topic as well. I disagree.
Furthermore, it had to be done, given the lack of public face or
consistent enforcement action of the current MLC.)
Drive Slow,
Paul Wall
http://www.linkedin.com/in/paulwall
On Tue, Sep 2, 2008 at 6:28 PM, Gadi Evron <ge@linuxbox.org> wrote:
> My profile and resume: http://www.linkedin.com/in/gadievron
> On Tue, 2 Sep 2008, Dan Mahoney, System Admin wrote:
>
>> Hello all,
>>
>> While recently trying to debug a CEF issue, I found a good number of
>> packets in my "debug cef drops" output that were all directed at
>> 198.32.64.12 (which I see as being allocated to ep.net but completely
>> unused).
>>
>> Sep 2 22:03:25: CEF-Drop: Packet for 198.32.64.12 -- no route
>> Sep 2 22:03:25: CEF-Drop: Packet for 198.32.64.12 -- no route
>> Sep 2 22:03:25: CEF-Drop: Packet for 198.32.64.12 -- no route
>> Sep 2 22:03:25: CEF-Drop: Packet for 198.32.64.12 -- no route
>> Sep 2 22:03:25: CEF-Drop: Packet for 198.32.64.12 -- no route
>> Sep 2 22:03:25: CEF-Drop: Packet for 198.32.64.12 -- no route
>> Sep 2 22:03:25: CEF-Drop: Packet for 198.32.64.12 -- no route
>> Sep 2 22:03:25: CEF-Drop: Packet for 198.32.64.12 -- no route
>>
>> Now, as nearly as I can tell, this IP address has never been used for
>> anything, but I see occasional references to it, such as here:
>>
>> http://www.honeynet.org/papers/forensics/exploit.html
>>
>> So the question is, should I just ignore this as a properly dropped packet
>> due to "no route" (this provider is running defaultless, so unless such a
>> route exists, it should be okay).
>>
>> On the other hand, one of the other packets I'm seeing specifically refers
>> to a DNS exploit, so should I then dispatch to people to trace down the
>> source origin ? (Suffice it to say the resources are there to find it
>> fairly easily, even if the source address is forged).
>
> It should be treated as an intelligence source, sharing that one openly is
> probably counter-productive.
>
> Regardless, very interesting. I think follow-up just for interest's sake may
> be worth it.
>
>
>> -Dan
>>
>> --
>>
>> --------Dan Mahoney--------
>> Techie, Sysadmin, WebGeek
>> Gushi on efnet/undernet IRC
>> ICQ: 13735144 AIM: LarpGM
>> Site: http://www.gushi.org
>> ---------------------------
>>
>>
>
>
