hi list, got this message some minutes ago May 2 12:25:55 server kernel: Packet log: input DENY eth0 PROTO=1 192.168.0.2:3 this.is.my.ip:1 L=88 S=0x00 I=52687 F=0x000 0 T=243 where eth0 is the outbound-interface which is protected by ipchains from ip-spoofing. some kind of attack?! any ideas are appreciated...;-) many thanks in advance, bye, daniel
hi list,
got this message some minutes ago
May 2 12:25:55 server kernel: Packet log: input DENY eth0 PROTO=1 192.168.0.2:3 this.is.my.ip:1 L=88 S=0x00 I=52687 F=0x000 0 T=243
This is a filtered icmp, subtype host-unreachable. I doubt that it is a brilliant idea to filter these since you have to run into timeouts of connect() without them.
where eth0 is the outbound-interface which is protected by ipchains from ip-spoofing. some kind of attack?!
any ideas are appreciated...;-) many thanks in advance, bye,
daniel
Roman.
hi roman, but what about the internal-ip-range 192.168.0.x coming on my outbound-if?! shouldn't this ip has been masqueraded?! i thought about a specific ip-spoofing attack. bye, daniel Roman Drahtmueller schrieb:
hi list,
got this message some minutes ago
May 2 12:25:55 server kernel: Packet log: input DENY eth0 PROTO=1 192.168.0.2:3 this.is.my.ip:1 L=88 S=0x00 I=52687 F=0x000 0 T=243
This is a filtered icmp, subtype host-unreachable.
I doubt that it is a brilliant idea to filter these since you have to run into timeouts of connect() without them.
where eth0 is the outbound-interface which is protected by ipchains from ip-spoofing. some kind of attack?!
any ideas are appreciated...;-) many thanks in advance, bye,
daniel
Roman.
--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
hi roman,
but what about the internal-ip-range 192.168.0.x coming on my outbound-if?! shouldn't this ip has been masqueraded?! i thought about a specific ip-spoofing attack.
bye,
daniel
Well, it looks as if the packet indeed came from the outside. In which
case somebody somehow didn't get his masquerading rules set up and used
the 192.168 address as source IP for packets to the outside.
This is not forbidden. It's just that there's no way for some packet to
get back to the sender because routers shouldn't have a route for the
192.168 network. Sometimes it happens that some router (seen it in German
university networks sometimes) annouces a route for the private networks.
You can be sure that the admins enjoy themselves with all the mail that
comes in from people making fun of them. :-)
Roman.
--
- -
| Roman Drahtmüller
On Wed, May 02, 2001 at 01:52:54PM +0200, Roman Drahtmueller wrote:
This is not forbidden. It's just that there's no way for some packet to get back to the sender because routers shouldn't have a route for the 192.168 network. Sometimes it happens that some router (seen it in German university networks sometimes) annouces a route for the private networks.
Hi! Perhaps a little bit off-topic, but can somebody explain what happens when routes for 192.168. networks are announced? TIA, Alex. -- Alexander Liesch http://www.alexliesch.de/alex/ Lichtwiesenweg 9 Phone: +49 (0)6151 154715 64287 Darmstadt Fax/UMS: +49 (0)1212 5 10309699 Germany GnuPG/PGP-Key: 0xBC985C75
On Wed, May 02, 2001 at 01:52:54PM +0200, Roman Drahtmueller wrote:
This is not forbidden. It's just that there's no way for some packet to get back to the sender because routers shouldn't have a route for the 192.168 network. Sometimes it happens that some router (seen it in
German
university networks sometimes) annouces a route for the private networks.
Hi!
Perhaps a little bit off-topic, but can somebody explain what happens when routes for 192.168. networks are announced?
Well it's not a much better idea than announcing a default route, at least 2 ISPs have mangaged to do this, and the result was lost traffic and their network completely saturated, so much so they couldn't even log in to their routers to fix. Generally it's very bad form to put out 'private' addresses in DNS or routing tables, announcing a route for them is likely to result in complaints. If multiple ISPs put private nets into the BGP data, they would clash, and possibly cause flapping, where changed tables are propogating to millions of routers... BGP suppresses flappers after a while, but best to avoid the whole problem, by explicitly filtering out any routes to 10. 192.168 and the class C nets. Rob
Just for completeness sake, and to prevent possible confusion... 10.0.0.0/8 --> 1 private A range (24 bits). 172.16.0.0/12 --> 16 private B ranges (16 bits). 192.168.0.0/16 --> 256 private C ranges (8 bits). And there's a large number of private address ranges that are owned by various companies (like Microsoft, using 'm to assign to not configured NIC's). But these are of less interest.
192.168 and the class C nets.
participants (5)
-
Alex Liesch -
Daniel Quappe -
Peter van den Heuvel -
Robert Davies -
Roman Drahtmueller