[107369] in North American Network Operators' Group
Re: 198.32.64.12 -- Harmless mis-route or potential exploit?
daemon@ATHENA.MIT.EDU (David Conrad)
Tue Sep 2 19:31:52 2008
From: David Conrad <drc@virtualized.org>
To: "Dan Mahoney, System Admin" <danm@prime.gushi.org>
In-Reply-To: <alpine.BSF.1.10.0809021808500.83763@prime.gushi.org>
Date: Tue, 2 Sep 2008 16:31:40 -0700
Cc: nanog@merit.edu
Errors-To: nanog-bounces@nanog.org
On Sep 2, 2008, at 3:24 PM, Dan Mahoney, System Admin wrote:
> While recently trying to debug a CEF issue, I found a good number of
> packets in my "debug cef drops" output that were all directed at
> 198.32.64.12 (which I see as being allocated to ep.net but
> completely unused).
As Steve Conte pointed out, that is the address that used to be used
for l.root-servers.net. l.root-servers.net was renumbered almost a
year ago, with the announcement of the old address turned off about 6
months ago.
> So the question is, should I just ignore this as a properly dropped
> packet due to "no route" (this provider is running defaultless, so
> unless such a route exists, it should be okay).
Packets being sent to 198.32.64.12 most likely come from DNS caching
servers that haven't had their hints updated. In the ideal world, you
could hunt down those machines and kick 'em in the head (that is,
install a new hints file). That they're unrouted is definitely the
way things should be.
Regards,
-drc
