[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

198.32.64.12 -- Harmless mis-route or potential exploit?

Subject: 198.32.64.12 -- Harmless mis-route or potential exploit?
From: bmanning at vacation.karoshi.com (bmanning at vacation.karoshi.com)
Date: Wed, 3 Sep 2008 12:42:48 +0000
In-reply-to: <[email protected]>
References: <[email protected]>

 well, actually....   this was the IP address used for l.root-servers.net
from 1998-2008.  so i guess you could say its never been used for anything.

 we are not currently routing that prefix and there should currently be nothing
at that IP address.

--bill



On Tue, Sep 02, 2008 at 06:24:21PM -0400, Dan Mahoney, System Admin wrote:
> Hello all,
> 
> While recently trying to debug a CEF issue, I found a good number of 
> packets in my "debug cef drops" output that were all directed at 
> 198.32.64.12 (which I see as being allocated to ep.net but completely 
> unused).
> 
> Sep  2 22:03:25: CEF-Drop: Packet for 198.32.64.12 -- no route
> Sep  2 22:03:25: CEF-Drop: Packet for 198.32.64.12 -- no route
> Sep  2 22:03:25: CEF-Drop: Packet for 198.32.64.12 -- no route
> Sep  2 22:03:25: CEF-Drop: Packet for 198.32.64.12 -- no route
> Sep  2 22:03:25: CEF-Drop: Packet for 198.32.64.12 -- no route
> Sep  2 22:03:25: CEF-Drop: Packet for 198.32.64.12 -- no route
> Sep  2 22:03:25: CEF-Drop: Packet for 198.32.64.12 -- no route
> Sep  2 22:03:25: CEF-Drop: Packet for 198.32.64.12 -- no route
> 
> Now, as nearly as I can tell, this IP address has never been used for 
> anything, but I see occasional references to it, such as here:
> 
> http://www.honeynet.org/papers/forensics/exploit.html
> 
> So the question is, should I just ignore this as a properly dropped packet 
> due to "no route" (this provider is running defaultless, so unless such a 
> route exists, it should be okay).
> 
> On the other hand, one of the other packets I'm seeing specifically refers 
> to a DNS exploit, so should I then dispatch to people to trace down the 
> source origin ?  (Suffice it to say the resources are there to find it 
> fairly easily, even if the source address is forged).
> 
> -Dan
> 
> -- 
> 
> --------Dan Mahoney--------
> Techie,  Sysadmin,  WebGeek
> Gushi on efnet/undernet IRC
> ICQ: 13735144   AIM: LarpGM
> Site:  http://www.gushi.org
> ---------------------------
>

References:
- 198.32.64.12 -- Harmless mis-route or potential exploit?
  - From: danm at prime.gushi.org (Dan Mahoney, System Admin)

Prev by Date: GLBX De-Peers Intercage [Was: RE: Washington Post: Atrivo/Intercag e, w hy are we peering with the American RBN?]
Next by Date: 198.32.64.12 -- Harmless mis-route or potential exploit?
Previous by thread: 198.32.64.12 -- Harmless mis-route or potential exploit?
Next by thread: "How the 'Net works: an introduction to peering and transit" (arstech)
Index(es):
- Date
- Thread