[148433] in North American Network Operators' Group
RE: Whois 172/12
daemon@ATHENA.MIT.EDU (Keith Medcalf)
Sun Jan 15 13:50:17 2012
Date: Sun, 15 Jan 2012 11:49:22 -0700
In-Reply-To: <3726cbbfb38c55f08812d244272f261d.squirrel@secure.xecu.net>
From: "Keith Medcalf" <kmedcalf@dessus.com>
To: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
As port 137 is the Netbios Name Service port are you *sure* this is a port =
scan and not a windows box (or other OS running NetBIOS crud) that simply h=
as fat-fingered addresses configured?
---
()=A0 ascii ribbon campaign against html e-mail
/\=A0 www.asciiribbon.org
> -----Original Message-----
> From: Ted Fischer [mailto:ted@fred.net]
> Sent: Sunday, 15 January, 2012 01:20
> To: nanog@nanog.org
> Subject: Re: Whois 172/12
>
> Thanks for the replies so far, but not what I was looking for.
>
> I should have specified that I've done several ns & dig lookups just to
> make sure.
>
> We were supposed to have lit up the last of IPv4 last year. I would have
> presumed that meant that there was nothing left. Since I can't find a
> reference to 172/12 anywhere, one might be led to presume that it was
> allocated somehow, to someone (perhaps inadvertently not recorded) since
> there are - supposedly - no fresh IPv4 addresses left to allocate, and th=
e
> only reference to this block is that 172/8 is allocated to ARIN. It
> doesn't even appear in RFC 5735.
>
> We all know about 172.16/12 - nothing left of that horse but glue.
>
> My question is about 172/12. Where is it, what is it's supposed purpose.
> I'm almost sure it's an internal box. I just find it better to give a
> professional answer to "why can't I use this" than just "you can't use
> this and why is this address scanning you for udp/137 anyway".
>
> If someone can point out to me what was done with 172/12 I'd appreciate i=
t.
>
>
> Patrick opined:
> > Read RFC1918.
>
> I didn't remember seeing anything about 172/12 in RFC1918. Looked at i=
t
> again. Is there something about 172/12 I missed? Thanks.
>
> > Likely a machine on his local network (i.e. behind the same NAT box) is
> > hitting him.
> >
> > But that is not guaranteed. A packet with a source address of 172.0.x.=
x
> > could be hitting his machine. Depends on how well you filter. Many
> > networks only look at destination IP address, source can be anything -
> > spoofed, un-NAT'ed, etc. He just wouldn't be able to send anything bac=
k
> > to it (unless it was on the local LAN, as I mention above).
> >
> > --
> > TTFN,
> > patrick
> >
> >
> > On Jan 15, 2012, at 2:53 AM, Alex Ryu wrote:
> >
> >> As far as I know, 172.0.1.216 is not assigned, yet.
> >>
> >> whois -h whois.arin.net 172.0.1.216
> >> [whois.arin.net]
> >> #
> >> # Query terms are ambiguous. The query is assumed to be:
> >> # "n 172.0.1.216"
> >> #
> >> # Use "?" to get help.
> >> #
> >>
> >> No match found for 172.0.1.216.
> >>
> >>
> >>
> >> #
> >> # ARIN WHOIS data and services are subject to the Terms of Use
> >> # available at: https://www.arin.net/whois_tou.html
> >> #
> >>
> >> Also, when you check BGP routing table, it is not routed at all.
> >>
> >> route-server.as3257.net>sh ip bgp 172.0.1.216
> >> % Network not in table
> >> route-server.as3257.net>
> >>
> >> So it seems like forged IP address.
> >>
> >> Alex
> >>
> >>
> >> On Sun, Jan 15, 2012 at 1:37 AM, Ted Fischer <ted@fred.net> wrote:
> >>> Hi all,
> >>>
> >>> Tearing what's left of my hair out.
> >>>
> >>> A customer is getting scanned by a host claiming to be "172.0.1.216=
".
> >>>
> >>> I know this is bogus, but I want to go back to the customer with as
> >>> much authoritative umph as I can (heaven forbid they just take my
> >>> word).
> >>>
> >>> I'm pretty sure I read somewhere once that 172/12 was "reserved" or
> >>> something like that. All I can find now is that 172/8 is "administer=
ed
> >>> by
> >>> ARIN". Lots of information on 172.16/12, but not a peep about
> >>> 172/12.
> >>>
> >>> If anybody could provide some insight as to the
> >>> allocation/non-allocation of this block, it would be much appreciated=
.
> >>>
> >>> Thanks.
> >>>
> >>> Ted Fischer
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>
> >
> >
> >
>
>
