Strange IP addr - C class private network - reaching my comp

Strange IP addr - C class private network - reaching my comp

Post by Steve Howa » Wed, 13 Mar 2002 09:54:15



I have iptables set up on my linux box.

I noticed a log with a source address of 192.168.20.91 .  I thought it
was a little strange and I pinged it, and there was a reply.  So I did
a

$ traceroute 192.168.20.91

and I got the following back. (First few lines omitted)

I thought you couldn't reach those private numbers.  What's going on?

Thanks in advance

--------

 6  207.88.95.225 (207.88.95.225)  139.680 ms  139.603 ms  139.721 ms
 7  ge9-0.dist1.scl-ca.us.xo.net (64.220.2.50)  139.763 ms  140.173 ms
 140.124 ms
 8  ge5-3-1.RAR1.SanJose-CA.us.xo.net (64.220.0.62)  140.838 ms
140.867 ms  141.186 ms
 9  p6-0-0.RAR1.Denver-CO.us.xo.net (65.106.0.22)  184.139 ms  184.263
ms  183.979 ms
10  p0-0-0-1.RAR2.Denver-CO.us.xo.net (65.106.1.78)  184.157 ms
183.781 ms  183.959 ms
11  p1-0-0.RAR1.Chicago-IL.us.xo.net (65.106.0.26)  206.694 ms
215.730 ms  212.226 ms
12  p4-0-0.MAR1.Southfield-MI.us.xo.net (65.106.6.174)  212.687 ms
212.801 ms  212.511 ms
13  ge0-0.CLR1.Southfield-MI.us.xo.net (207.88.84.114)  214.388 ms
215.254 ms  214.657 ms
14  Southfield1.NextlinkNCO.DS3.WAN.daf.concentric.net
(216.112.137.97)  213.867 ms  214.779 ms  214.070 ms
15  216.112.137.10 (216.112.137.10)  214.364 ms  213.753 ms  213.420
ms
16  192.168.20.42 (192.168.20.42)  216.084 ms  216.221 ms  215.291 ms
17  192.168.20.91 (192.168.20.91)  305.918 ms  329.371 ms  311.174 ms

 
 
 

Strange IP addr - C class private network - reaching my comp

Post by Wild Wizar » Wed, 13 Mar 2002 10:10:41



> I have iptables set up on my linux box.

> I noticed a log with a source address of 192.168.20.91 .  I thought it
> was a little strange and I pinged it, and there was a reply.  So I did
> a

> $ traceroute 192.168.20.91

> and I got the following back. (First few lines omitted)

> I thought you couldn't reach those private numbers.  What's going on?

> Thanks in advance

your isp or their providor has misconfigured routers i tried the same trick
here with bigpond in australia and got as far as the routers on the edge of
the network and got no further a traceroute to the real ip before the fake
ones went all the way through

Quote:> --------

>  6  207.88.95.225 (207.88.95.225)  139.680 ms  139.603 ms  139.721 ms
>  7  ge9-0.dist1.scl-ca.us.xo.net (64.220.2.50)  139.763 ms  140.173 ms
>  140.124 ms
>  8  ge5-3-1.RAR1.SanJose-CA.us.xo.net (64.220.0.62)  140.838 ms
> 140.867 ms  141.186 ms
>  9  p6-0-0.RAR1.Denver-CO.us.xo.net (65.106.0.22)  184.139 ms  184.263
> ms  183.979 ms
> 10  p0-0-0-1.RAR2.Denver-CO.us.xo.net (65.106.1.78)  184.157 ms
> 183.781 ms  183.959 ms
> 11  p1-0-0.RAR1.Chicago-IL.us.xo.net (65.106.0.26)  206.694 ms
> 215.730 ms  212.226 ms
> 12  p4-0-0.MAR1.Southfield-MI.us.xo.net (65.106.6.174)  212.687 ms
> 212.801 ms  212.511 ms
> 13  ge0-0.CLR1.Southfield-MI.us.xo.net (207.88.84.114)  214.388 ms
> 215.254 ms  214.657 ms
> 14  Southfield1.NextlinkNCO.DS3.WAN.daf.concentric.net
> (216.112.137.97)  213.867 ms  214.779 ms  214.070 ms
> 15  216.112.137.10 (216.112.137.10)  214.364 ms  213.753 ms  213.420
> ms
> 16  192.168.20.42 (192.168.20.42)  216.084 ms  216.221 ms  215.291 ms
> 17  192.168.20.91 (192.168.20.91)  305.918 ms  329.371 ms  311.174 ms

--
*ia law forbids bathtubs in the house; tubs must be kept in the
yard.

 
 
 

Strange IP addr - C class private network - reaching my comp

Post by Junkie Monke » Wed, 13 Mar 2002 11:39:45


That's an RFC1918 address, which shouldn't be routable, but if your ISP
screwed up, you might see other customers.  I owned my own ISP, and have
seen other ISP's set up frame clouds and the like using these addresses, but
I've never seen an ISP that would tell it's customers they knew where those
addresses were.  That'd surely break some folks connections if they tried to
set up private networks in those spaces....  It's possible that's the case
here.  In either case, your ISP is breaking some rules if their routers are
telling you that they know where those addresses are.  I'd copy your posting
to their support emails, and ask if they are aware that you can get to those
addy's.

Later,
Carlton


Quote:> I have iptables set up on my linux box.

> I noticed a log with a source address of 192.168.20.91 .  I thought it
> was a little strange and I pinged it, and there was a reply.  So I did
> a

> $ traceroute 192.168.20.91

> and I got the following back. (First few lines omitted)

> I thought you couldn't reach those private numbers.  What's going on?

> Thanks in advance

> --------

>  6  207.88.95.225 (207.88.95.225)  139.680 ms  139.603 ms  139.721 ms
>  7  ge9-0.dist1.scl-ca.us.xo.net (64.220.2.50)  139.763 ms  140.173 ms
>  140.124 ms
>  8  ge5-3-1.RAR1.SanJose-CA.us.xo.net (64.220.0.62)  140.838 ms
> 140.867 ms  141.186 ms
>  9  p6-0-0.RAR1.Denver-CO.us.xo.net (65.106.0.22)  184.139 ms  184.263
> ms  183.979 ms
> 10  p0-0-0-1.RAR2.Denver-CO.us.xo.net (65.106.1.78)  184.157 ms
> 183.781 ms  183.959 ms
> 11  p1-0-0.RAR1.Chicago-IL.us.xo.net (65.106.0.26)  206.694 ms
> 215.730 ms  212.226 ms
> 12  p4-0-0.MAR1.Southfield-MI.us.xo.net (65.106.6.174)  212.687 ms
> 212.801 ms  212.511 ms
> 13  ge0-0.CLR1.Southfield-MI.us.xo.net (207.88.84.114)  214.388 ms
> 215.254 ms  214.657 ms
> 14  Southfield1.NextlinkNCO.DS3.WAN.daf.concentric.net
> (216.112.137.97)  213.867 ms  214.779 ms  214.070 ms
> 15  216.112.137.10 (216.112.137.10)  214.364 ms  213.753 ms  213.420
> ms
> 16  192.168.20.42 (192.168.20.42)  216.084 ms  216.221 ms  215.291 ms
> 17  192.168.20.91 (192.168.20.91)  305.918 ms  329.371 ms  311.174 ms

 
 
 

Strange IP addr - C class private network - reaching my comp

Post by Michael Muelle » Wed, 13 Mar 2002 15:18:18



> That's an RFC1918 address, which shouldn't be routable, but if your ISP

You could put the shame on the client too. It was the first instance
which did route the traffic towards this address into the network of the
ISP.

They most probably have a route to it because they use it for internal
purpose. If they wish to protect there self they might want to start
filtering at there dialup routers. But most ISPs seems to let those
packets going out until they find there native end of live at a router
not having a route to a RFC1918 network, usally one of there border
routers.

Mine however does filter it. They are using RFC1918 addresses for the
administration of customer equipment [DSL modems].

Michael

 
 
 

Strange IP addr - C class private network - reaching my comp

Post by James Knot » Wed, 13 Mar 2002 22:00:27




>> That's an RFC1918 address, which shouldn't be routable, but if your ISP

> You could put the shame on the client too. It was the first instance
> which did route the traffic towards this address into the network of the
> ISP.

Unless there's a specific rule for them in the routing tables, there is no
reason why a client would not send out those packets to the internet.  
There is nothing special about them that would cause a computer to handle
them differently than any other address.  This means that the ISP *MUST*
implement appropriate routing rules for those RFC1918 packets.

On my own firewall, I have Incorporated rules that block any RFC1918
packets to or from the internet.

--

All the facts above are true, except for the ones I made up.


james.knott.

 
 
 

Strange IP addr - C class private network - reaching my comp

Post by Michael Muelle » Thu, 14 Mar 2002 02:55:26


Hi James,


> Unless there's a specific rule for them in the routing tables, there is no
> reason why a client would not send out those packets to the internet.

Nor there is for an ISP with a static uplink.

Quote:> There is nothing special about them that would cause a computer to handle
> them differently than any other address.  This means that the ISP *MUST*
> implement appropriate routing rules for those RFC1918 packets.

RFC1918:
: Because private addresses have no global meaning, routing information
: about private networks shall not be propagated on inter-enterprise
: links, and packets with private source or destination addresses
: should not be forwarded across such links. Routers in networks not
  ^^^^^^
: using private address space, especially those of Internet service
...
: It is strongly recommended that routers which connect enterprises to
        ^^^^^^^^^^^^^^^^^^^^
: external networks are set up with appropriate packet and routing
: filters at both ends of the link in order to prevent packet and
: routing information leakage. An enterprise should also filter any

From my point of view the translation of "strongly recommended" into the
keywords is *SHOULD*.

The authors most probably had in mind that noone can cure the stupidity
of the INTERNET. So they describe one should protect against such
information (IP packets, routing information, DNS entries, ...) to be
propageted into the internal network.

It is all based on the simple concept "Be conservative in what you send
and liberal in what you receive." [RFC1855]

Michael

 
 
 

Strange IP addr - C class private network - reaching my comp

Post by Dennis Henrikse » Thu, 14 Mar 2002 04:10:47




>>That's an RFC1918 address, which shouldn't be routable, but if your ISP

> You could put the shame on the client too. It was the first instance
> which did route the traffic towards this address into the network of the
> ISP.

> They most probably have a route to it because they use it for internal
> purpose. If they wish to protect there self they might want to start
> filtering at there dialup routers. But most ISPs seems to let those
> packets going out until they find there native end of live at a router
> not having a route to a RFC1918 network, usally one of there border
> routers.

> Mine however does filter it. They are using RFC1918 addresses for the
> administration of customer equipment [DSL modems].

One could argue, that an ISP should consider their net as a public network,

thus abstaing from routing ANY traffic between RFC1918 nets. Only it happens
  too often that they confuse the fact that they own their network
(between various
access points and their gateway(s)), with the term private network. My ISP
had some services residing on RFC1918 address untill recently, which
rendered
those services inaccessible to me - since I do not wish allow any incoming
traffic from RFC1918 to my gateway.

/Dennis

 
 
 

Strange IP addr - C class private network - reaching my comp

Post by Steve Howa » Thu, 14 Mar 2002 10:54:20


Thanks for your reply.

What I don't quite understand is that...

1. Traceroute passed 15 routers before reaching 192.168.20.42.  (I
presume they are routers)  Are you saying that they are all
misconfigured?

2.

What I am particularly curious about is the following lines.

How did the router at '216.112.137.10' find 192.168.20.42?  Does that
mean that it is connected to some private network?

15  216.112.137.10 (216.112.137.10)  214.364 ms  213.753 ms  213.420
ms
16  192.168.20.42 (192.168.20.42)  216.084 ms  216.221 ms  215.291 ms

Thanks.


> That's an RFC1918 address, which shouldn't be routable, but if your ISP
> screwed up, you might see other customers.  I owned my own ISP, and have
> seen other ISP's set up frame clouds and the like using these addresses, but
> I've never seen an ISP that would tell it's customers they knew where those
> addresses were.  That'd surely break some folks connections if they tried to
> set up private networks in those spaces....  It's possible that's the case
> here.  In either case, your ISP is breaking some rules if their routers are
> telling you that they know where those addresses are.  I'd copy your posting
> to their support emails, and ask if they are aware that you can get to those
> addy's.

> Later,
> Carlton



> > I have iptables set up on my linux box.

> > I noticed a log with a source address of 192.168.20.91 .  I thought it
> > was a little strange and I pinged it, and there was a reply.  So I did
> > a

> > $ traceroute 192.168.20.91

> > and I got the following back. (First few lines omitted)

> > I thought you couldn't reach those private numbers.  What's going on?

> > Thanks in advance

> > --------

> >  6  207.88.95.225 (207.88.95.225)  139.680 ms  139.603 ms  139.721 ms
> >  7  ge9-0.dist1.scl-ca.us.xo.net (64.220.2.50)  139.763 ms  140.173 ms
> >  140.124 ms
> >  8  ge5-3-1.RAR1.SanJose-CA.us.xo.net (64.220.0.62)  140.838 ms
> > 140.867 ms  141.186 ms
> >  9  p6-0-0.RAR1.Denver-CO.us.xo.net (65.106.0.22)  184.139 ms  184.263
> > ms  183.979 ms
> > 10  p0-0-0-1.RAR2.Denver-CO.us.xo.net (65.106.1.78)  184.157 ms
> > 183.781 ms  183.959 ms
> > 11  p1-0-0.RAR1.Chicago-IL.us.xo.net (65.106.0.26)  206.694 ms
> > 215.730 ms  212.226 ms
> > 12  p4-0-0.MAR1.Southfield-MI.us.xo.net (65.106.6.174)  212.687 ms
> > 212.801 ms  212.511 ms
> > 13  ge0-0.CLR1.Southfield-MI.us.xo.net (207.88.84.114)  214.388 ms
> > 215.254 ms  214.657 ms
> > 14  Southfield1.NextlinkNCO.DS3.WAN.daf.concentric.net
> > (216.112.137.97)  213.867 ms  214.779 ms  214.070 ms
> > 15  216.112.137.10 (216.112.137.10)  214.364 ms  213.753 ms  213.420
> > ms
> > 16  192.168.20.42 (192.168.20.42)  216.084 ms  216.221 ms  215.291 ms
> > 17  192.168.20.91 (192.168.20.91)  305.918 ms  329.371 ms  311.174 ms