[30251] in North American Network Operators' Group
Re: More on black-holed reserved/8 block.
daemon@ATHENA.MIT.EDU (Henry R. Linneweh)
Fri Jul 21 02:20:41 2000
Message-ID: <3977EA36.776D948E@concentric.net>
Date: Thu, 20 Jul 2000 23:14:14 -0700
From: "Henry R. Linneweh" <linneweh@concentric.net>
Reply-To: linneweh@concentric.net
MIME-Version: 1.0
To: Valdis.Kletnieks@vt.edu
Cc: nanog@merit.edu
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Errors-To: owner-nanog-outgoing@merit.edu
It showed up in a UDP probe on an Aussie connection, so I tracerouted it
for the my associate, now I have a better understanding as to what is going
on.
Valdis.Kletnieks@vt.edu wrote:
> As one person explained to me, often miscreants broadcast a bogus route
> so they can launch an attack from a 'reserved' space.
>
> What I was probably not clear enough in my original question was why the
> person at bungi.com was even TRYING to traceroute to a 98/ address. Was
> it something that showed up in a access log as an failed attempt, or?
>
> Is it the case that above.net is black-holing packets with a *destination*
> in the RBL, but *not* filtering packets with a *source* address from
> the RBL? If so, this would still allow RPC-based attacks (and TCP as well,
> if the victim's box had bad sequence number prediction).
>
> What are other sites that use the RBL BGP feed doing in this case?
>
> (And yes, I understand that many routers can route to a blackhole destination
> a lot faster than they can apply an ACL on the source).
>
> --
> Valdis Kletnieks
> Operating Systems Analyst
> Virginia Tech
>
> traceroute to 98.100.32.32 (98.100.32.32): 1-30 hops, 38 byte packets
> 1 main.bungi.com (207.126.97.9) 2.15 ms 1.73 ms 1.86 ms
> 2 above-gw2.above.net (207.126.96.217) 4.41 ms 4.88 ms 3.67 ms
> 3 core5-main2-oc3.sjc.above.net (216.200.0.205) 3.62 ms 4.56 ms
> 7.53 ms
> 4 core3-core5-oc48.sjc2.above.net (208.184.102.206) 6.34 ms 5.7 ms
> 5.3 ms
> 5 iad-sjc2-oc48.iad.above.net (216.200.127.25) 73.0 ms 79.7 ms 72.6
> ms
> 6
> hat.address.is.on.the.rbl.see.www.mail-abuse.org.for.more.information.above.net
>
> ------------------------------------------------------------------------
> Part 1.2Type: application/pgp-signature
--
Thank you;
|--------------------------------|
| Thinking is a learned process. |
| ICANN member @large |
| Gigabit over IP, ieee 802.17 |
|--------------------------------|
Henry R. Linneweh
