[148413] in North American Network Operators' Group
Re: Whois 172/12
daemon@ATHENA.MIT.EDU (Patrick W. Gilmore)
Sun Jan 15 02:58:59 2012
From: "Patrick W. Gilmore" <patrick@ianai.net>
In-Reply-To: <CAM9zEH7nU0Z55xzc81a8Z7GfKT_asp2BPA_vG5Cesj7dn=xftg@mail.gmail.com>
Date: Sun, 15 Jan 2012 02:58:11 -0500
To: NANOG list <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Read RFC1918.
Likely a machine on his local network (i.e. behind the same NAT box) is =
hitting him.
But that is not guaranteed. A packet with a source address of 172.0.x.x =
could be hitting his machine. Depends on how well you filter. Many =
networks only look at destination IP address, source can be anything - =
spoofed, un-NAT'ed, etc. He just wouldn't be able to send anything back =
to it (unless it was on the local LAN, as I mention above).
--=20
TTFN,
patrick
On Jan 15, 2012, at 2:53 AM, Alex Ryu wrote:
> As far as I know, 172.0.1.216 is not assigned, yet.
>=20
> whois -h whois.arin.net 172.0.1.216
> [whois.arin.net]
> #
> # Query terms are ambiguous. The query is assumed to be:
> # "n 172.0.1.216"
> #
> # Use "?" to get help.
> #
>=20
> No match found for 172.0.1.216.
>=20
>=20
>=20
> #
> # ARIN WHOIS data and services are subject to the Terms of Use
> # available at: https://www.arin.net/whois_tou.html
> #
>=20
> Also, when you check BGP routing table, it is not routed at all.
>=20
> route-server.as3257.net>sh ip bgp 172.0.1.216
> % Network not in table
> route-server.as3257.net>
>=20
> So it seems like forged IP address.
>=20
> Alex
>=20
>=20
> On Sun, Jan 15, 2012 at 1:37 AM, Ted Fischer <ted@fred.net> wrote:
>> Hi all,
>>=20
>> Tearing what's left of my hair out.
>>=20
>> A customer is getting scanned by a host claiming to be =
"172.0.1.216".
>>=20
>> I know this is bogus, but I want to go back to the customer with as
>> much authoritative umph as I can (heaven forbid they just take my
>> word).
>>=20
>> I'm pretty sure I read somewhere once that 172/12 was "reserved" or
>> something like that. All I can find now is that 172/8 is =
"administered by
>> ARIN". Lots of information on 172.16/12, but not a peep about
>> 172/12.
>>=20
>> If anybody could provide some insight as to the
>> allocation/non-allocation of this block, it would be much =
appreciated.
>>=20
>> Thanks.
>>=20
>> Ted Fischer
>>=20
>>=20
>>=20
>>=20
>>=20
>>=20
>>=20
>=20
