[30242] in North American Network Operators' Group
More on black-holed reserved/8 block.
daemon@ATHENA.MIT.EDU (Valdis.Kletnieks@vt.edu)
Thu Jul 20 13:14:23 2000
Message-Id: <200007201712.e6KHC8Y26340@black-ice.cc.vt.edu>
To: nanog@merit.edu
From: Valdis.Kletnieks@vt.edu
Mime-Version: 1.0
Content-Type: multipart/signed; boundary="==_Exmh_1861578138P";
micalg=pgp-sha1; protocol="application/pgp-signature"
Content-Transfer-Encoding: 7bit
Date: Thu, 20 Jul 2000 13:12:03 -0400
Errors-To: owner-nanog-outgoing@merit.edu
--==_Exmh_1861578138P
Content-Type: text/plain; charset=us-ascii
As one person explained to me, often miscreants broadcast a bogus route
so they can launch an attack from a 'reserved' space.
What I was probably not clear enough in my original question was why the
person at bungi.com was even TRYING to traceroute to a 98/ address. Was
it something that showed up in a access log as an failed attempt, or?
Is it the case that above.net is black-holing packets with a *destination*
in the RBL, but *not* filtering packets with a *source* address from
the RBL? If so, this would still allow RPC-based attacks (and TCP as well,
if the victim's box had bad sequence number prediction).
What are other sites that use the RBL BGP feed doing in this case?
(And yes, I understand that many routers can route to a blackhole destination
a lot faster than they can apply an ACL on the source).
--
Valdis Kletnieks
Operating Systems Analyst
Virginia Tech
traceroute to 98.100.32.32 (98.100.32.32): 1-30 hops, 38 byte packets
1 main.bungi.com (207.126.97.9) 2.15 ms 1.73 ms 1.86 ms
2 above-gw2.above.net (207.126.96.217) 4.41 ms 4.88 ms 3.67 ms
3 core5-main2-oc3.sjc.above.net (216.200.0.205) 3.62 ms 4.56 ms
7.53 ms
4 core3-core5-oc48.sjc2.above.net (208.184.102.206) 6.34 ms 5.7 ms
5.3 ms
5 iad-sjc2-oc48.iad.above.net (216.200.127.25) 73.0 ms 79.7 ms 72.6
ms
6
hat.address.is.on.the.rbl.see.www.mail-abuse.org.for.more.information.above.net
--==_Exmh_1861578138P
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.2
Comment: Exmh version 2.2 06/16/2000
iQA/AwUBOXcy43At5Vm009ewEQImcACfdXjFnRVLEyBb7zOSIUx5v3TqdvAAoLsu
iOzldWqAEJcbv6UpBSj2qwJC
=ybE6
-----END PGP SIGNATURE-----
--==_Exmh_1861578138P--
